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Linux offers you ways to go green and save some green at the same time 
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CFENGINE FOR CONFIGURATION MANAGEMENT 


How to use cfengine to manage configuration files 
across large numbers of machines. 


Scott Lackey 


PXE MAGIC: FLEXIBLE NETWORK BOOTING 
WITH MENUS 
What if you never had to carry around an install or 


rescue CD again? Set up a PXE boot server with menug 


and put them all on the network. 


Kyle Rankin 
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GRAPHIC ADMINISTRATION WITH WEBMIN 
New to Linux administration? Webmin can help 
you out. 

Federico Kereki 
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Next Month 


TELEPHONY 


Next month, Dan Sawyer 
compares VoIP programs for use 
with podcasting, and Federico 
Kereki shows you how to set up 
Skype to turn your computer 
into a phone, complete with 
instant messaging, file transfer 
and video conferencing. Plus, 
Doc Searls interviews tech 
pioneer Bob Frankson, who sees 
the “last mile” of the Internet 
as the end of the road for 
telecom—and the beginning 
of a networked world we make 
for ourselves. 


As always, there’s much more. 
LJ columnist Dave Taylor 
details installing and testing 
Ubuntu Linux within both 
VMware Fusion and Parallels 
Desktop on Mac OS X, John 
Knight takes a look at some 
promising new Linux software, 
and Salah M. S. Al-Buraiky 
gives an MIPvé6 primer. 
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No Virtual Panning for You! 
Having recently read the Laptop Buying 
Guide in the December 2007 issue of LU, 
| thought I’d let you know about some- 
thing not mentioned in the article. 
Anyone who enjoys using a virtual screen 
resolution should steer clear of any note- 
book based on the Intel Graphics Media 
Accelerator X3100 (found in the Dell 
Inspiron 1420N mentioned in the Laptop 
Buying Guide). This chipset is unfortu- 
nately quite common and used in many 
of the “lower-end” modern notebooks. 


| just bought a Lenovo Y410 to replace my 
six-plus-year-old HP N5450, which | use as 
a table-top PC at home. Going from a 
Plll-850 with 384MB RAM, S3 Savage 
video and 60GB drive (upgraded—the 
20GB original drive died a year or so ago), 
you'd think I’d be thrilled with a Core 2 
Duo 1.5GHz, 2GB RAM, 160GB SATA 
drive, built-in dual-layer DVD burner, 
802.11g and so on, and for just $650 
after rebate—if | get that rebate! But the 
truth is, I’m still using that old HP a month 
and a half after buying the Lenovo. 


The Lenovo came with Vista, but of 
course the first thing | did when | got it 
home was boot up an Ubuntu 7.10 CD. 
Running live from the CD, | was amazed 
that the 1280x800 native screen resolu- 
tion worked automatically, and that | 
was able to get the Intel Pro/Wireless 
3945ABG working on the home wireless 


without any hacking. Getting the built-in 
1.3M Webcam working did require actu- 
ally downloading and compiling linux-uvc, 
but that was relatively painless. Sound 
support is a little sketchy. Under Ubuntu 
7.10, it doesn’t work automatically. You 
have to edit /etc/modprobe.d/alsa-base, 
and set the snd-hda-intel model to fujitsu. 
That gets the internal speakers working, 
but the headphones jack is totally non- 
functional (no sound output, and plug- 
ging in to it doesn’t silence the internal 
speakers). For my intended use (table PC 
at home), that’s not a huge deal. 


But as | mentioned, the biggest issue | 
have with this notebook is the X3100 
and Intel GM965 graphics chipset, or 
rather the X.org X server written for it. 
I've been using Linux since about 1994 
(and incidentally, I’ve been an L/ sub- 
scriber since about issue #2), and this is 
the first X server | can remember running 
into that doesn’t support panning around 
a virtual screen resolution greater than 
the actual screen resolution. From talking 
to other Linux users, | gather this is one 
of those emacs/vi issues. Some people 
hate and never use Virtual. Others always 
use it when there's enough video memory 
to support it. On my old HP | use Virtual 
1600 1200. On my desktops at home 
and work, | use Virtual 2500 2048. These 
virtual resolutions allow me to have several 
terminal windows, a browser, IM client, 
MP3 player and so on, all “visible” on 
one screen with little or no overlapping 
windows. | just pan around with my 
trackball/touchpad to the part of the 
virtual screen | want to see. 


Nobody seems to mention the death of 
this feature when talking about current 
notebooks. It was only after considerable 
Googling that | found this thread where 
one of the authors of the Intel X server 
clearly states, “no Virtual panning for 
you!” (lists.freedesktop.org/archives/ 
xorg/2007-April/023841.html). 


This is a big enough issue for me that 
as soon as Xi Graphics supports the 

i965GM, I'm going to gladly pay them 
$129 for a full-featured X server. 


In the meantime, I'll have to get by 
with multiple workspaces and have 
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installed brightside so that | can “pan” 
to adjacent workspaces just by moving 
the pointer off the edge of the current 
workspace. It’s not the same, but it’s 
apparently the best | can do for now. 


Jon Lewis 


We Don’t Need No Stinking 
Perl (in Our Shell Scripts)! 

Well, Dave (Taylor) threw down an 
irresistible challenge in his January 2008 
column when he remarked that he 
couldn't imagine a shell-only method of 
calculating the ordinal value of a letter, 
“without extraordinary levels of effort”. 


| actually found three different ways 
of doing this, and while it did take a 
certain amount of effort to refresh my 
memory on some details, | think the 
resulting methods are all reasonably 
simple. I’ve presented them below; the 
following examples are intended to be 
drop-in replacements for this line on 
page 31 of the January 2008 issue: 


ordvalue="$(echo $letter | \ 
perl -e '$a=getc(); print ord($a)-96' )" 


Solution 1: 


# Do this array initialization prior 
# to using "LETTERS". 
LETTERS=(0 {a..z}) 


ordvalue=1 
while [ ${LETTERS[$ordvalue]} != $letter ]; do 
ordvalue=$(( ordvalue + 1 )) 


done 


The LETTERS array is initialized with the 
letters of the alphabet, each in its ordinal 
position—that is, a is in the [1] position. 
The while loop simply uses ordvalue as 
an index into the array, incrementing it 
until it points to the array element that 
matches the desired letter. Note: Using 0 
as the value of the first array element is 
quite arbitrary; any value will do. 


Solution 2: 
# Do this string initialization prior 


# to using "LETTERS". 
LETTERS=Oabcdef ghijklmnopqrstuvwxyz 
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(LETTERS) 


FOO=${LETTERS%${letter}*} 
ordvalue=${#F00} 


The FOO= line matches a pattern in 
the LETTERS string; the pattern is the 
specified letter, then anything else. 
This pattern is removed from the end 
of the LETTERS string, and the length 
of the resulting string is determined. 
Since this length is simply the number 
of characters that precede the speci- 
fied letter in the alphabet, it gives the 
letter’s ordinal value. Note that as in 
the first solution, the 0 at the start 
of LETTERS is an arbitrary character. 
There is simply a need to have one 
extra character at the start of the 
string to get the string lengths right, 
given the way that the pattern 
matching/string truncation works. 


Solution 3: 


FOO=$(eval echo {a..$letter}) 
ordvalue=$(( (${#FO00} + 1) / 2 )) 


This one is a little bit more arcane; the 
FOO= line puts a string of the form 


“abcde f” into FOO (assuming in this 
case that letter is f), and the next line 
finds the length of that string, adds 1 to 
it, and then divides that result by 2. This 
effectively gives the length of the string 
abcdef, which is the ordinal value of f. 


Now, my question for Dave: is there 
some way of nesting operations, such 
that the temporary variable FOO could 
be eliminated from Solutions 2 and/or 
3? | can't seem to figure out what it 
is, if such a way exists! 


Mike Henders 


Correction: February 2008 

LJ Index 

Regarding number 12 on the February 
2008 LJ Index—m thinking this is a typo 
or something: 900 billion Nokia phones 
in use? 150 for every human being on 
the planet? That seems a little not right. 


Keith Blackwell 


Doc Searls replies: My error, Keith. It’s 
900 million. Thanks for pointing it out. 


Sometime you may want to find all files modified during the installation of a 
given package. This problem can be solved simply as follows: 


echo temp > /tmp/afile 

# Install your package 

find /etc -newer /tmp/afile 

# Find files modified in /etc 


A useful variation is to identify all files “accessed” during the execution of 
a given program. Often some files under /etc are accessed, and you need to 
know which ones. This can be done as follows: 


echo temp > /tmp/afile 
# Run your program 
find /etc -anewer /tmp/afile 


A sneaky variation is to find all files modified between time1 and time2. 
Let’s use the times 2007-12-02 13:45 and 2007-12-04 01:30 as an example: 


touch -t 200712021345.00 /tmp/filel 
touch -t 200712040130.00 /tmp/file2 


find /etc -newer /tmp/filel -a ! -newer /tmp/file2 


This works by using touch -t to set the modification date of the files to set 


a date range for use with find. 


—KIM HENDRIKSE 
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Dave Jones has 
tracked down every 
available kernel release, 


diff -u 


WHAT'S NEW prerelease, release- 
IN KERNEL candidate and what- 
DEVELOPMENT "°*. right down to Linux 


version 0.01, and creat- 
ed a 2GB git repository of the whole thing, at 
git://git.kernel.org/pub/scm/linux/kernel/ 
git/davej/history.git. For almost half of 
the thousand or so commits, Dave also 
has scoured the mailing lists and retrieved 
changelog entries. This represents the most 
complete Linux repository ever compiled, 
although unfortunately, it does seem as 
though some kernel versions have been 
truly lost forever. Also, unlike current kernel 
development, Dave's repository does not 
have a patch-by-patch accounting of every 
change, because no record was ever kept of 
those individual changes. Only the versions 
actually released by Linus Torvalds have 
come down to us, each of which represents 
dozens or hundreds of individual patches, 
mashed together as one. Given the wacky 
nature of some of these kernel hackers, it’s 
possible that various folks will try to correct 
and expand Dave's repository during the 
coming years, and there's no telling how 
detailed it might become over time. Linus 
has volunteered to recompose changelog 
entries from memory, if other people do the 
work of gathering the patches together. 
Now Dave has a big pile of commits ready 
for Linus to make good on; once he's 
done with that, maybe someone will 
have more commits for him to comment 
on. In the meantime, Dave already has 
accomplished something of tremendous 
benefit to anyone interested in the history 
of kernel development. 

Pavel Machek has started a daring 
attempt to give Linux systems the ability to 
go to sleep in response to one desired event 
and to wake up in response to another. The 
path is fraught with difficulties—the main 
one being the plethora of hardware in the 
world, all with different bugs and behaviors. 
Trying to support this feature universally will 
be like threading a very strange and compli- 
cated needle. Most of the early comments 
from other kernel folks were along the lines 
of “this can’t be done”—to which Pavel 
essentially responded, “well, not fully, no, 
but this really cool part might be doable”. 
So, by the end of the discussion, various 


folks ended up suggesting other really cool 
parts that might be doable as well. All in all, 
it looks to be a very piecemeal project, but 
one with fun results. Pavel envisions a sys- 
tem that might wake up playing particular 
MP3s in the morning or if particular network 
traffic comes down the wire. With so many 
folks starting to show interest, it may turn 
out that the whole thing is doable, one way 
or the other. 

Borislav Petkov has taken over main- 
tainership of the IDE-CD driver, in the wake 
of a major code reworking by Bartlomiej 
Zolnierkiewicz. Bartlomiej had done this as 
a one-off, just to bring the driver back into a 
maintainable state. Because it hadn’t had a 
maintainer for quite a while, all the fixes 
and other changes going into it had tended 
to make the code uglier and more difficult 
to understand. Bartlomiej's work cleaned 
up the code and also made it easier for the 
libata ATAPI developers and others to 
identify all the hardware special cases they'll 
need to code around in their own projects. 
With the driver now in a workable state, 
Borislav should have a fairly straightforward 
time carrying it along. 

There have been some other maintain- 
ership changes recently. Hans-Jirgen 
Koch has teamed up with Greg Kroah- 
Hartman as co-maintainers of UIO 
(Userspace Input/Output). Swen Schillig 
also recently stepped down as the zFCP 
maintainer, saying the project was about to 
undergo a major rewrite, and he didn’t 
have time to shepherd it through that. 
Instead, he’s patched the MAINTAINERS 
file to list Christof Schmitt and Miartin 
Peschke as the new co-maintainers during 
the rewrite, although they probably will 
continue to be the maintainers after the 
new code settles. Additionally, Joe Perches 
has removed the TMS380 Token-Ring 
Network Driver entry from the 
MAINTAINERS file, formerly maintained 
by Adam Fritzler. 

While Joe was making that change, he 
also updated Adam's e-mail address wherever 
it appeared in the kernel tree. As a result of 
this, Andrew Morton initiated a new policy 
of keeping all contributor e-mail addresses 
in a single location, giving their names in 
the various files they touched, so that if 
an address changed, it would need to be 
updated only in one place. Joe fixed all the 
cases involving Adam. 
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A variety of new drivers has been 
submitted into the kernel. Some of these 
have been written recently, and others have 
been marinating in various forked trees until 
now. David Sterba’s 3G UMTS PCMCIA 
card wireless driver has been in Andrew 
orton’s -mm tree for a while, and he 
recently submitted it to Linus Torvalds for 
inclusion in the main tree. After various 
echnical comments from a few different 
olks, Andrew endorsed the patch and 
passed it up to Linus. Some code submis- 
sions this month came from longer ago 
han that. Harald Welte unearthed some 
work by Thomas Kleffel to support the 
Samsung $3C24xx SD/MMC controller. 
Thomas’ work had never made it into the 
kernel proper and had grown a bit stale in 
the intervening years. Harald had brought it 
up to date with the current tree and the rel- 
evant APIs. He and Thomas planned to share 
maintainership once the code was accepted 
formally. And, Andrzej Zaborowski 
submitted the OMAP1 PWL-based LCD 
backlight driver to Linus, after it had lived 
for some time in the OMAP tree. 

Other driver submissions were more 
genuinely new than David's, Andrzej's and 
Harald’s work. Thomas Bogendoerfer sub- 
mitted a new serial driver for $C2681/SC2691 
UARTs, used in some older SNI RM400 
systems. Alex Dubov submitted a patch 
to support Sony’s Memory Stick card, 
in spite of the card using a proprietary, 
unpublished protocol. Speaking of 
supporting proprietary hardware, Adrian 
McMenamin wrote a CD-ROM driver for 
the SEGA Dreamcast. The driver supports 
the proprietary Giga Disk ROM format 
(aka GD-ROM). 

Among the numerous new drivers sub- 
mitted this time around, several of them 
were for system-monitoring systems. Jochen 
Friedrich’s submission supports the watch- 
dog timer on Power QUICC hardware. 
This driver reboots the system if it is not 
touched periodically by software (that is, if 
the system has crashed). Darrick J. Wong 
wrote a driver to support tracking volt, 
temperature and fan sensor readings on the 
ADT 7473 monitor chip. And, Steve Hardy 
submitted code to support the Burr-Brown/ 
Texas-Instruments ADS7972 12-bit, 
eight-channel A-D converter, which monitors 
voltage on various off-the-shelf CPUs. 

—ZACK BROWN 


LJ Index, 
April 2008 


1. Thousands of Linux-based ASUS Eee PCs the 


company hoped to sell by the end of 2007: 300 


2. Thousands of ASUS Eee PCs the company 
actually sold by the end of 2007: 350 


3. Thousands of Ubuntu-based NComputing 
thin clients to be deployed to students at 
schools in Macedonia: 180 


4. Estimated hundreds of dollars in cost per 
student for the above clients: 1 

5. Percentage of schools in Macedonia covered 
by the NComputing deal: 100 


6. Number of rural North Carolina schools 
deploying NComputing’s Linux-based 
desktop virtualization: 25 


8. Thousands of NComputing systems deployed 
worldwide: 500 


7. Thousands of NComputing systems 
deployed in the above schools: 13 

9. Thousands of organizations using 
NComputing systems: 13 


10. Minimum power consumption percentage 
savings estimated by NComputing for its 
systems: 70 


11. Maximum power consumption percentage 
savings estimated by NComputing for its 
systems: 90 


12. Percentage of Americans who learn about 
political campaigns from the Internet: 24 

13. Percentage of Americans who sourced the 
Net for politics four years earlier: 13 


14. Percentage of 18-29-year-old Americans 
who learn about political campaigns from 
the Net: 42 


. Percentage of 18-29-year-old Americans 
who learned about political campaigns from 
the Net in 2004: 20 


. Position of the Net among all news sources 
on political campaigns for 18-29-year-old 
Americans: 1 


. Number of Linux-based hosting companies 
among Netcraft's top five most reliable for 
November 2007: 3 


. Number of Linux-based hosting companies 
among Netcraft's top two most reliable for 
November 2007: 2 


. Number of open-source-based (Linux, BSD) 
hosting companies among Netcraft’s top ten 
most reliable for November 2007: 7 


. Number of open-source-based (Linux, BSD, 
Solaris) hosting companies among Netcraft's 
top 50 most reliable for November 2007: 30 


1, 2: Mobile Magazine 
3: NComputing and DesktopLinux.com 
4: NComputing, DesktopLinux.com and 
Engadget | 5-11: NComputing 
12-16: PewInternet.org | 17-20: Netcraft.com 
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Let’s Call It a UVPC 


Technically, the Noahpad from E-Lead 
Electronic is a Linux-based UMPC, 
or an Ultra-Mobile PC. Generally 
speaking, a UMPC is smaller than 
a notepad and bigger than a 
Mobile Internet Device (MID). But, 
in fact, the Noahpad is so versatile 
and odd, it may deserve another 
category entirely. 

Let’s start with the keyboard. 
Its two springy squares are divided 
into what you might call a bingo 
grid (5x5) of keys, all printed on 
the square and separated by raised 
dark lines. These serve to keep your 
fingers on the “keys”—an alterna- 
tive to the conventional approach, 
which orients touch via spaces 
between keys and convex bowls for 
your fingertips. Thus, the Noahpad 
has just two (barely) moving “key- 
board” parts, even though the two 


squares also add 50 function keys 
to the usual QWERTY lineup. 

But, that’s not the half of it. 
Both squares are touchpads—big 
ones. You can go from typing to 
pointing without leaving the two 
pads. Navigation is also novel. For 
example, you can use the touchpad 
to move around the window view, 
expanding the perimeter of the 
screen desktop beyond the borders 
of the screen itself. 

Speaking of which, the 7" back- 
lit 1040x768 display also is a touch- 
screen, and it can pivot and flip 
around both sides of the base to 
become a writing pad, a display 
or...you decide. E-Lead suggests 
many possible Noahpad uses: a car 
GPS (with a larger screen than just 
about every standard built-in or 
aftermarket GPS), a “hangable” 
multimedia player, 
a digital photo 
frame and even a 
Jogging companion. 
“Classmate, room- 
mate, travelmate”, 
the slogan goes. 

Tech details: 
1GHz VIA Eden CPU, 
512MB of RAM, 
30GB HD, 300k pixel 
cam, Bluetooth, 
“Ethernet 10m/100M 
USB to RJ45 dongle”, 
802.11b/g, external 
3.5g compatibility, 
Wi-Fi and Ubuntu 
7.10. For more 
information, visit 
www.noahpad.com. 
—DOC SEARLS 
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What Are They Using? 


Angel Roman is a 24-year-old star soft- 
ware architect with the Bug Labs team 
in New York. Bug Labs (subject of an 
UpFront piece in the December 2007 
issue of L) is becoming familiar in Linux 
circles as a hack-ready DIY hardware 
development and assembly system. 
At the Consumer Electronics Show in 
January 2008, | got some hang-time 
with the Bug Labs people and was 
especially impressed not just with 
Angel, but also with how he had 
hacked together his own personal 
assortment of Linux gear. Here’s the 
rundown he provided at the constantly 
crowded Bug Labs booth: 


® Handheld/UMPC (ultra-mobile PC): 
Nokia N810. “It’s a great device”, 
he says. His main everyday use of it 
is reading books on the subway 
between his home in the Bronx and 
Bug Labs’ offices in Manhattan. “I 
basically use a .pdf reader, plus an 
e-mail client.” 


Angel Roman of Bug Labs and His Gear 


accelerometer in the machine, and 


Phone: Motorola E6 ROKR. “This 
is a Linux phone that | use as a 
GPRS modem for my Nokia N810 
over Bluetooth.” 


Laptop: Lenovo X61 tablet, running 
Ubuntu Linux. “| looked at the new 
Fujitsu 810. It was small with a resis- 
tance touchscreen, and the driver 
didn’t work so well. But Linux has 
support from Wacom. So | decided 
to get a Wacom tablet. | previously 
had another ThinkPad that had 
Ubuntu working perfectly. So | decid- 
ed to stick with Lenovo, got the X61, 
and installed the Wacom drivers....On 
an airplane, the screen re-orients. 
Somebody figured that there's an 


wouldn't it be nice if you could guide 
Tux Racer that way.” Then, Angel 
picks up the machine and moves it 
around as if steering a penguin 
down a ski slope. “So | knew that if 
| stuck with Lenovo, I’d have good 
support for drivers. And so far, 
that’s worked out.” He makes heavy 
use of the X61 as a tablet. “| can 
make use of the whole screen area. 
And | found something called Cell 
Writer, which | can train to know 
my handwriting. It works really 
well, and it’s fast. You can even 
suspend and resume. It’s an excel- 
lent solution as a tablet.” 


—DOC SEARLS 


Get Your News at 


LinuxJournal.com 


LinuxJournal.com’s News Editor, 
Justin Ryan, brings you the best 
Linux-related news every weekday. 
He digs through mountains of 
information to bring us the most 
interesting, thought-provoking and 
sometimes funniest news happen- 
ing in the world of technology. He 
wades through it all, and delivers it 
with the wit and charm you have 
undoubtedly come to expect from 
LinuxJournal.com. 

We invite you to visit us each 
day for your dose of Linux insight 
and to subscribe to our news-only 
RSS feed at www.linuxjournal.com/ 
breaking_news/feed. 

Make sure you join in the 
discussions on LinuxJournal.com. 
Whether in the news section, or 
any other, the lively discourse is 
sure to inspire, amuse, frustrate or 
enlighten, and either way, you'll 
want in on the conversation. 

—KATHERINE DRUCKMAN 


They Saicl It 


Life is short enough without imposing 
corporate metrics onto your friends. 
—Hugh McLeod, www.gapingvoid.com/mt/ 
mt-tb.cgi?__mode=view&entry_id=4389 


And | keep on fighting for the things | want 
Though | know that when you're dead you can't 
But I'd rather be a free man in my grave 

Than living as a puppet or a slave 

—Jimmy Cliff, www.bluesforpeace.com/ 
lyrics/harder-they-come.htm 


USER FRIENDLY by J.D. “Illiad™ Frazer 


Hi, I UNDERSTAND 
THAT YOU HAVE FREE 
WIFI ON THIS PLANE. 


BUT THAT 
SERVICE IS LIKE 


VOIP IS FREE. 
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$6 PER MINUTE AND |[& 


Creative geniuses stumble; they trip; they 
make horrible mistakes. Their highest and 
most acclaimed successes are constructed 
on the low rubble of humiliating failures. 
—Dean Keith Simonton, 
blog.washingtonpost.com/achenblog/ 
2007/1 1/when_genius_bombs.html 


The chances are that, in the course of his 
lifetime, the major poet will write more 
bad poems than the minor. 

—W. H. Auden, 
blog.washingtonpost.com/achenblog/ 
2007/1 1/when_genius_bombs.html 


Linus on Linux 


In January 2008, Linus Torvalds was interviewed by Jim Zemlin for the inaugural podcast of the Linux Foundation, 
for which both Linus and Jim now work. Here are a few excerpts from a transcript of their dialogue, organized 
under headings that highlight what's changed, what hasn’t and what never will, as long as Linus is leading Linux. 


Code rules. 

“| have a policy that he who does the 
code gets to decide....But at the end of 
the day, the only thing that matters is 
actual code and the technology itself. 
And the people who are not willing to 
step up and write that code, they can 
comment on it and they can say it 
should be done this way or that way or 
they won't, but in the end, their voice 
doesn't matter. The only thing that 
matters is code.” 


Corporations don’t. 

"it doesn’t matter at all who you 
work for pretty much because nobody 
really cares.” 

“if you're in a tech company 
and you have interest in something 
like the Linux kernel, the reason you 
have interest in the Linux kernel 
probably has something to do with 
the kind of people you have working 
for you.” 

“| think most companies have slowly 
started to learn...” 


We have our differences. 
"one misleading thing is thinking 
that people kind of share ideals and 
goals, and that’s not true. It’s quite 
often the case that people have 
completely different goals; you have 
commercial vendors who have their 
very clear commercial goals and in the 
Open Source, so-called community, 
you often find individuals who really 
don’t like commercial entities, espe- 
cially not the big ones. So, quite 
often, the goals are very different.” 


Like Yoda said. 
“Trust either comes or it does not come 
and it largely depends on your actions.” 

“it used to be a huge issue 
when companies kind of were talking 
about ‘How do we interact with the 
community?” 

“when the real answer always 
ends up being you don’t interact with 
the community, you just act as a mem- 
ber of this non-existent community.” 


“you don’t interact with it, you 
are part of it.” 


Looks matter. 
“| think the thing that more people 
worry about is actually interfaces.” 

“It makes more of a difference that 
the way you connect to a mobile phone 
is different from the way you connect 
to a desktop. You have a very limited 
keyboard, you have touchscreen issues, 
you have a very small screen, and | 
think the bigger issues tend to be in 
things like the UI interfaces.” 


Continue forgetting ABls. 

“The lack of an ABI is twofold: one is 
we really, really, really don’t want one. 
Every single time people ask for a stable 
ABI, the main reason for wanting a sta- 
ble ABI is they want to have their binary 
drivers and they don’t want to give out 
source and they...certainly don’t want 
to merge that source into the stable 
kernel or the standard kernel.” 

“And that, in turn, means that all 
the people who actually do all the 
kernel work and maintain the kernel 
are basically unable to work with that 
piece of hardware and that vendor 
because if there's any bugs whatsoever, 
we can’t fix them.” 

“So, all the commercial vendors— 
even the ones who used to accept bina- 
ry drivers—have moved or are moving 
away from wanting to have anything at 
all to do with binary drivers because 
they're completely unmaintainable.” 

“..other projects...have binary inter- 
faces for one reason or another—quite 
often because of commercial reasons— 
and that just means that they cannot fix 
their fundamental design.” 


The verities still are. 

“You need to have the code out there, 
not because of any social issues, but 
simply because you don’t know who's 
going to be the one who has to fix it.” 


Vendor suckage may vary. 
“There are certainly specific vendors 
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who end up having more problems 
than others. In fact, sometimes the 
same vendor may be very good in one 
area and very bad in another area.” 

“Broadcom is an example of this. 
They are—they have actually been fairly 
good when it comes to high-end giga- 
bit network devices, wired network 
devices, but...when it comes to wireless 
networks and other more consumer 
devices, they've been completely unable 
or unwilling to help us at all.” 


Practical vs. perfect. 

“I'm fairly pragmatic, so | don’t care, 
per se, about one particular license or 
another. | want to pick the license that 
makes the most sense for what | want to 
do. And at this point in time, Version 2 
matches what | think we want to do 
much, much better than Version 3.” 

“ ..the GPL Version 3 reflects the 
FSF's goals and the GPL Version 2 pretty 
closely matches what | think a license 
should do and so right now Version 2 is 
where the kernel is.” 

“Could there be something that 
happens to change that? Maybe.” 

“| cannot change the license on 
my own anymore. | mean, because | 
have accepted code over the last 15 
years by people who kind of accepted 
my original choice of the GPL Version 
2, I'm not just, | think, ethically bound 
by those people's choices. | am also 
actually legally bound.” 


It’s still fun. 

“it’s just a lot of fun working with 
people; even though, | mean, | sit in 
my basement all day long and actually 
don’t meet anybody at all, but what | 
do is essentially communicate and it 
is very social...” 

“what drives, motivates me is 
the fun part. | mean, part of being fun 
is that it should be difficult enough 
to not be trivial. So, fun doesn’t mean 
that it’s frivolous; it just means it’s 
interesting and exciting.” 

For more, visit linux-foundation.org. 

—DOC SEARLS 
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COLUMNS 


Satie rorce 


REUVEN M. LERNER 


Social Google Gadgets 


How do we turn a Google Gadget into an OpenSocial application? An initial 
look at the OpenSocial APl—what it includes, as well as what it doesn't. 


The past year has seen an explosion in the 
growth of social-networking sites like Facebook. 
People have jumped at the opportunity to find 
existing friends, make new ones and spend time 
communicating and participating in group activities 
on-line. Facebook might be the best-known site, 
but LinkedIn, Ning, Hi5, Orkut and others also 
have become popular. 

As we might expect in a competitive market- 
place, each of these sites has tried to offer unique 
features to encourage new people to sign up. 
During the summer of 2007, Facebook unveiled 
one of the most interesting and powerful of these 
features in its developer platform—basically, a 
way to integrate third-party Web applications 
into Facebook. 

This API has led to a torrent of applications 
being developed for Facebook. It's not clear 
whether anyone is making money off these applica- 
tions or whether there are any that people find truly 
useful (rather than frivolous). But, there are plenty 
of indications that Facebook's API is an important 
milestone for social-networking applications and for 
Web applications in general. For the first time, we 
have a Web site that is providing an open platform 
for application development. 

In response to the popularity of Facebook’s 
developer API, a number of competitors announced 
they would be supporting a similar API, known as 
OpenSocial. Applications written for OpenSocial 
should work equally well on all compliant social 
networks. Thus, instead of writing one application 
for MySpace and another for Ning, you can write 
the application once and deploy it on many differ- 
ent networks. The exception, at least for now, is 
Facebook; whether Facebook decides to join the 
OpenSocial consortium or provide a compatibility 
layer remains to be seen. 

The OpenSocial specification was spearheaded 
by Google and is based on the specification 
known as Google Gadgets, part of the personal- 
ized iGoogle page for some time. Last month, 
we looked at how to build a simple Google 
Gadget, which packages HTML and JavaScript 
into an XML wrapper. 

This month, we look at how to take our simple 
Google Gadget and turn it into an OpenSocial- 
compliant application. We begin to see the pros 
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and cons of the OpenSocial standard and consider 
ways to make use of its capabilities. 


Making the Gadget Social 
As we saw last month, the simplest possible “Hello, 
world” Google Gadget looks like the following: 


<?xml version="1.0" encoding="UTF-8" ?> 
<Module> 
<ModulePrefs title="Hello world" /> 
<Content type="htm1"> 
<! [CDATA[ 
Hello, world! 
qe 


</Content> 
</Module> 


The gadget comes as an XML file, with a 
Module section and a Content section. The Module 
section allows us to specify gadget-specific prefer- 
ences, using the ModulePrefs tag. The Content 
section, as you might expect, contains the HTML 
and JavaScript that will be displayed and executed 
for the user. 

We can turn a simple gadget into an OpenSocial 
gadget by adding a new Require tag within our 
Module tag: 


<?xml version="1.0" encoding="UTF-8" ?> 
<Module> 
<ModulePrefs title="Hello world" /> 
<Require feature="opensocial-0.6" /> 
<Content type="htm1"> 
<! [CDATA[ 
Hello, world! 
ee 
</Content> 
</Module> 


The Require tag indicates that our gadget is 
implementing the OpenSocial standard, version 0.6. 
(A new version undoubtedly will be released by the 
time this column is printed. The initial version, 0.5, 
was superseded by 0.6 in late December 2007.) 
Other than that single line, this is the same “Hello, 
world” widget we installed on our iGoogle page 
last month. In theory, we can go ahead and install 


this application on the social-networking site 
(OpenSocial container) of our choice, and it'll 
work just fine. 


Adding Social Functionality 
“Hello, world” is boring enough as a standalone 
program; using it as an example of a social- 
networking API seems almost silly. For a gadget to 
become a fully fledged OpenSocial application, it 
needs to demonstrate an ability to interact with 
other people. More precisely, a socially aware 
application should be able to find out something 
about me and my friends, as well as what | (and 
my friends) do. 

The OpenSocial API addresses this by offering 
three types of functionality: 


m@ People and relationships: get information about 
you, your friends and the various pieces of data 
associated with those friends. The Person class 


because they let you interact with your friends in 
a variety of activities. These activities can range 
from exchanging messages to answering ques- 
tions in an on-line poll to keeping up to date 
on the latest sports scores. OpenSocial sees 
an activity as a collection of actions within a 
particular container. The Activity class provides 
access to this data. 


Persistence: OpenSocial makes it possible for an 
application to store information between ses- 
sions. One of the most interesting aspects of this 
persistence API is the fact that storage is handled 
by the OpenSocial container, not by the applica- 
tion. There is no Persistence class for handling 
such data. Rather, the data is read and written by 
invoking methods on the overall opensocial 
object. Note that the persistence layer lets appli- 
cations store data globally, as well as on a per-user 
or per-application instance basis, as needed. 


provides access to this information. 
Interactions with these three objects, as well 


@ Activities: social-networking sites are interesting as with the OpenSocial API in general, is done via 
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method calls on the opensocial object. Typically, 
methods execute asynchronously, with a callback 
method specified as one of the invocation parame- 
ters. For example, we can get information about the 
person currently running (viewing) our application 
by creating a new OpenSocial data request and 
indicating what request we want to make: 


var req = opensocial.newDataRequest() ; 


req.add(req.newFetchPersonRequest (opensocial.DataRequest. 
‘»>PersonId. VIEWER) ,"Vviewer") ; 


We then send the request to our container: 
req.send(response) ; 


The response parameter is a function; as soon as 
the request returns a response, that function will be 
invoked. Moreover, when the response function is 
invoked, it will be passed a single parameter that 
contains the results from our method call. 


Applications written for OpenSocial should work 
equally well on all compliant social networks. 


We can send multiple queries within a single data- 
request object; all we have to do is invoke req.add 
multiple times. As you can see from the above line of 
code, invoking req.newFetchPersonRequest required 
that we both indicate what we want to request, 
and that we give it a symbolic name (viewer). This 
naming allows us to pull apart different types of 
response data within a single object. 

You might be wondering what stops the viewer 
from being able to retrieve arbitrary data from the 
OpenSocial container. The answer is that OpenSocial 
defines two basic types of people: the viewer 
and the owner. The former, as we have seen, 
refers to the person who is running and viewing 
the operation—and might even refer to no one 
at all, if our system permits anonymous brows- 
ing. The owner, by contrast, must be a defined 
person on the system, and may very well refer to 
the same person as the viewer. But at least in 
theory, OpenSocial will provide only limited infor- 
mation to viewers about owners with whom they 
have no relationship. 


Who Are Your Friends? 

Perhaps the simplest type of application we can 
write with OpenSocial is one that shows the 
current user's friends. Better yet, because friends 
on a social-networking site typically upload their 
pictures, we even can display a list of the view- 
er's friends. 
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Last month, we saw how we can modify the 
HTML in which a Google Gadget—or an OpenSocial 
application—is running. Create an empty div, 
build up the HTML in a variable, and then set 
the div's innerHTML property to be that of the 
variable. For example: 


html = "<p>Hello</p>"; 
div.innerHTML = html; 


In order to display a list of the viewer's friends, 
we need to retrieve a list of those friends. We then 
can iterate over those friends, putting their thumb- 
nail image URL in our html variable. 

In order to retrieve a list of friends, we must do 
the following: 


viewer_friends = opensocial.DataRequest.Group.VIEWER_FRIENDS; 
req.add(req.newFetchPeopleRequest(viewer_friends, opt_params), 
=» "viewer_friends"); 


req.send(response) ; 


The above request contains a single query, which 
we call viewer_friends. (Don't be confused by 
the viewer_friends variable, which was introduced 
simply to make the lines easier to understand.) 

When the method has finished executing 
asynchronously, it invokes our response function. 
We can define it like any other JavaScript function, 
and Google's documentation even indicates that 
you can use JavaScript libraries, such as Prototype 
or Dojo, inside an OpenSocial application. 

Google already has included a number of useful 
JavaScript functions as part of its implementation 
of gadgets, meaning that a Ruby-like each method 
is available to us. That method, which typically is 
invoked on an array, takes a function as a parame- 
ter. The function is executed once for each element 
of the array, with each array element being passed 
to the function in turn. Thus, we can write our 
response method as follows: 


function response(data) { 
var viewer_friends = data.get("viewer_friends") .getData() ; 
viewer_friends.each(function(person) { 
var thumb = 
person. getField(opensocial.Person.Field. THUMBNAIL_URL) ; 
html += '<img src="' + thumb + '"/>'; 


})s 


document. getElementById('main').innerHTML = html; 


Our response method is invoked only after the 
request has been sent. Its data parameter is popu- 
lated with the response to our query, which we can 
retrieve with its name (viewer_friends). We then use 


the getData() method on the resulting object to give 
us the data that interests us, namely an array of 
person objects. 

Each person in OpenSocial has a few required 
properties, among them the URL of their person- 
al thumbnail picture. You can see from the above 
example that we retrieve it by invoking the 
getField() method on a person, indicating which 
field we want by using a value provided by the 
OpenSocial framework. We can use several such 
values, including ID (for their unique ID), NAME 
(for their name) and even PROFILE_URL (for the 
person's home page URL on the system). Beyond 
those basic fields, a well-behaved OpenSocial 
application must query its container to make 
sure that it’s available. 


Does OpenSocial Work? 

One of the biggest problems with OpenSocial is its 
inherent diversity and cross-platform functionality. 
Programmers who create desktop applications have 
discovered—often the hard way—that different 
operating systems have different conventions for 


how dialog boxes, or even menus, look and feel. 
These often-subtle design distinctions can play a 
major role in the usability of an application. 

Thus, it'll be interesting to see what happens 
when OpenSocial applications are unveiled and 
are supposed to work cleanly on all systems. One 
of the Facebook platform's great advantages is 
the fact that it shoehorns application content 
into a standard look and feel. This is missing 
with OpenSocial, and although it encourages 
diversity, I'm far from convinced this will be good 
for end users. 

Another, and more serious, issue with OpenSocial 
is that it is designed to let applications run in 
different contexts, not seamlessly join data from 
diverse social-networking systems. Yes, it’s nice 
that software developers will be able to release 
their code on multiple platforms at the same 
time. But as a user as well as a developer, I’m 
interested in getting a comprehensive list of all 
my friends/contacts/links from all the social networks 
to which | belong. 

Just a few weeks before | wrote these words, 
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well-known blogger Robert Scoble was 
kicked off Facebook for downloading 
his contact list into another program. 
(His account was reinstated within a 
few days.) The notion that data should 
stay locked within one of these systems, 
rather than be freely downloadable and 
transferable by the people who entered 
and approved it, is disappointing. 

If | create a forum application using 
OpenSocial, and | use the persistence 
API in order to store messages, it 
might work just fine. But, what if | 
want the forum to work across differ- 
ent networks, such that forum post- 
ings are persistent not only across 
users, but also across the different 
OpenSocial containers? That appears 
to be completely unsupported by the 
standard. And although such capabili- 
ties would seem to be against the 
interests of the various social-network- 
ing companies, it is most certainly in 
the interest of the individual users. 

Of course, given that OpenSocial 
is nothing more than a specification 
and set of JavaScript libraries, there’s 
still hope. Perhaps someone will cre- 
ate a JavaScript library that allows 
OpenSocial client applications to store 
and retrieve state on a remote server 
(that is, not on the OpenSocial con- 
tainer’s server) in a format that can 
be unpacked and used across systems 
easily. Such a library might be difficult 
to create, particularly given the vari- 
ous user-visibility and privacy issues. 
But, it would be an additional step 
toward not just code portability, but 
data portability, that many people 
would like to see in OpenSocial. 


| should note that I’m not the first 
or only person to raise some of these 
concerns. Tim O'Reilly, among others, 
has expressed his disappointment 
with the initial versions of OpenSocial 
(see Resources). 


Conclusion 

OpenSocial provides a standard library 
and packaging system for applications 
that fit into a social-networking site. 
Assuming that enough sites implement 
the OpenSocial specification, this 
will greatly ease the burden from 
developers, who still will have to 
develop for Facebook. 

This month, we took a short look 
at what the OpenSocial standard offers 
developers and how we can create 
applications that take advantage of 
these supports. We also saw how 
OpenSocial applications communicate 
with the enclosing containers. Finally, 
we saw how we can even create a 
simple application in only a few lines 
of carefully chosen code. 

It remains to be seen whether 
OpenSocial will succeed, either on its 
own or as a competitor to the Facebook 
development platform. | do believe that 
it needs to become more mature before 
it will be truly useful. But, the intentions 
are definitely positive, and there is a 
great deal of potential for good to 
come out of this standard.m™ 


Reuven M. Lerner, a longtime Web/database developer 

and consultant, is a PhD candidate in learning sciences 

at Northwestern University, studying on-line learning 
communities. He recently returned (with his wife and three 
children) to their home in Modi’in, Israel, after four years 
in the Chicago area. 


Resources 


Examples: code.google.com/apis/opensocial/articles/firstgadget/ 


firstgadget-0.6.html 


Description of OpenSocial: blog.pmarca.com/2007/10/open-social-a-n.html 


OpenSocial Screencast: blog.pmarca.com/2007/10/open-social-scr.html 


OpenSocial Specification: code.google.com/apis/opensocial/docs/spec-0.6.html 


Tim O'Reilly's Arguments in Favor of “Data Mobility” within OpenSocial: 
radar.oreilly.com/archives/2007/11/opensocial_social_mashups.html 
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Note: 


The screenshot 
in Figure 1 is 
from an Ubuntu 
live DVD, which 
is why you can 
see that install 
icon and 
Examples folder 
on the screen. 
The Examples 
folder contains 
a number of 
sample docu- 
ments, spread- 
sheets, images 
and multimedia 
files to try with 
your Ubuntu 
Linux system. 


This is indeed an exciting evening, Francois. This 
issue of Linux Journal marks the 100th Cooking 
with Linux column by your humble patron, mon 
ami. You've done an excellent job on the decora- 
tions, Francois. | am very impressed, but | do have 
one question. Don’t you think there’s something just 
slightly wrong with the giant cake you ordered for 
this event? You do not see it? Mon ami, it says, 
“Congratulations, Cooking with Linux, on being 
100 years old!” the column is 100 issues old, not 
100 years. Mon Dieu! 

| can see our guests approaching even now, 
Francois. Please, get the door. Welcome! Welcome, 
everyone, to Chez Marcel, the meeting place of 
great Linux and open-source software and excep- 
tional wines. Your tables are waiting, mes amis, so 
please sit and make yourselves comfortable. 

Tonight, mes amis, we are privileged to count 
among our guests, internationally renowned wine 
writer, Decanter World Wine Awards chair and 
member of the Order of Canada, Tony Aspler. For 
those of you who may not know, the Order of 
Canada represents Canada’s highest civil honor. 
He has graciously agreed to select a wine for us 
tonight. Your suggestion, Tony? 

“This is a wine to drink with duck breast, for 
aprés-ski, romantic situations, wakes or software 
writing: Le Clos Jordanne Vineyard Pinot Noir 2005— 
medium ruby colour; a nose of dried flowers, 
minerals and raspberries; richly extracted; velvety 
mouthfeel; firm but elegant with a long cranberry 
and pomegranate finish. A lovely wine to drink 
now or hold for 2-3 years. Five stars!” 

An excellent recommendation! Thank you! And, 
as it turns out, we happen to have several bottles in 
our cellar. Francois, please hurry down and fetch the 
wine for our guests. While my faithful waiter goes 
for the wine, and before | introduce the first item 
on tonight’s menu, my sincere thanks to Tony Aspler 
for suggesting tonight's wine. 

System administration sounds like something the 
computer person at your company does in the serv- 
er room, but anybody using a desktop computer of 
any kind also plays administrator from time to time. 
If you've ever spent time looking for old files to 
clean up, you've done system administration. Have 
you ever added and configured a printer? Backed 
up your files? Created folders and reorganized 
your music files into categories? Installed a new 
game? Yes, mes amis, every one of those examples 
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represents part of what system administration 
is. On the surface, it may not sound like fun, and 
although some of it is the drudgery of keeping 
your system up and running properly, there is a 
lighter side to maintaining your system, from set- 
ting the default look and feel of your desktop to 
activating some serious eye candy. 

Ah, Francois, you have returned. Please, pour 
for our guests. 

Historically, system administration may have 
gotten its Ubergeek reputation due to the command- 
line-intensive nature of administration. In the sleek 
and modern world that is today’s desktop Linux, 
command-line administration, though still available, 
is relegated to the past for most users. GNOME 
users can find everything they need to administer 
their systems in the top panel menus, starting 
with the System menu. If you need help, this is 
the place to start, because the GNOME help sys- 
tem is available from the System menu. You also 
can lock your screen with a password (when you 
run off for coffee or a muffin), or log out of your 
current Linux session. 

Right at the top of the System menu is the 
Preferences submenu (Figure 1). 

The Preferences menu is all about personalizing 
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Figure 1. The Preferences submenu allows you to change 
your personal settings. 


the user experience. Because these are personal 
options, none of them require administrative 
privileges, even though these are still considered 
administrative functions. You can set a screen- 
saver, change the background and window deco- 
rations, or play with the colors. If the fonts look 
a little small, there’s a simple option for changing 
the size of what you see on the screen. And 
speaking of your screen, changing the screen 
resolution is easy and doesn’t require you to restart 
your graphical environment. 

Let's take one more step down into the System 
menu and look at the Administration submenu 
(Figure 2). 

Granted, when you go from Preferences to 
Administration, it does sound a bit scarier, but drink 
a little more wine, relax, and it will all seem friendli- 
er shortly. From time to time, you will want to do 
things on your system that affect everyone who 
logs in equally. Changes made under Preferences 
don't affect anyone but the current user, and if your 
niece, Stephanie, chooses some garish desktop 
colors, it won't affect you when you log in. Making 
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Figure 2. GNOME’s 
Administration sub- 
menu is the starting 
point to configure 
your network, check 
logs, install software 
and more. 
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IF ( mpi_inited ) THEN 
CALL wrf_error fatal3 ( “module io quilt.b” , 
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CALL mpi_init ( ierr ) 

CALL wrf_set_dm_communicator (MPI_COMM WORLD ) 
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from setting up a printer to configuring your 
Internet access. You can share folders (so others on 
your home or office network can use them), look at 
system logs, change the look and feel of the login 
screen and add users. 

Perhaps one of the most important functions 
here involves updating and maintaining the pack- 
ages on your system. Staying up to date is one of 
the best ways to keep your system humming along 
nicely and securely. 

All right, let's look at how KDE does things 
when it comes to system administration. Currently, 
there’s a transition happening in the KDE world, and 
it’s a fairly major one. The venerable and powerful 
KDE 3.5 is making way for the new, improved, and 
in many ways, very different, KDE 4 desktop. To 
ease transition, certain things started changing later 
in the KDE 3.5 releases. One of those things had 
to do with system administration, as the old KDE 
Control Center was slowly replaced by System 
Settings (Command name, systemsettings). System 
Settings is more intuitive, easier to navigate and 
easier to work with. From System Settings, you can 
change the look and feel of your system, configure 
hardware, networking, sound, printers and a host 
of other things. You'll usually see System Settings 
directly under the program launcher menu. On KDE 
4's Kickoff launcher, look for it under the computer 
icon. When the System Settings window appears, 
you'll see a two-tabbed view, with an Advanced tab 
in the background and the General tab selected by 
default (Figure 3). 


Figure 3. The Systems Settings dialog from KDE 4.0 gives 
you access to most desktop administration functions. 


General settings are broken up into four major 
categories: Look & Feel, Personal, Network & 
Connectivity and Computer Administration (isn’t it 
all administration?). Although many settings affect 
personal desktop settings, other functions that can 
affect the entire system do require Administrator 
privileges. In those cases, you'll see a button to 
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activate system privileges. 

Of course, | did mention that administering your 
system could involve playing with some serious 
flash, pizzaz and glitzy eye candy. KDE 4 users get a 
serious dose of this with the new Kwin composite 
desktop and its plasma desktop and related toys. 
Simply click the Desktop icon from the General tab 
(under Look & Feel), then, under the two-tabbed 
window that appears, check Enable desktop effects. 
Select all the so-called common effects, then click 
on the All Effects tab (Figure 4). 
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Figure 4. For serious eye candy, KDE 4 users can turn a little 
of their administration time over to some glitzier pursuits. 


Under this All Effects section, you'll find lots 
of great desktop toys. Some of them are strange 
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Figure 5. Lost your mouse pointer? We can find it for you, 
surrounded by stars. 


and Meta key. Five bright yellow stars appear 
orbiting the mouse pointer (Figure 5). 

Although there are preset key defaults, many of 
these can be overridden by clicking on the Settings 
button next to the listed effect. For instance, you 
may not like the key sequence provided for the 
Looking Glass effect (the Meta key on my notebook 
is the so-called Windows key, and | might not want 
that). Once the Settings button is clicked, a small 
window appears with the default keyboard short- 
cuts selected (Figure 6). You can click on the key 
sequence and make your change. If you muck 
things up, you always can press the Defaults button 
to return things to normal. 


Figure 6. Default key and mouse combinations for various 
effects can be edited by clicking the Settings button. 


Of course, useful is open to interpretation. One 
of the effects lets you use your mouse pointer to 
draw on your desktop. You can make windows and 
decorations translucent or have objects fade away 
on the screen. You can dim active windows or fade 
parent windows when configuration dialogs appear 
(Figure 6). You may find it useful to have windows 
explode when you close them. Or, it may be better 
for your productivity to have them fall into a thou- 
sand pieces (Figure 7). Be warned; if you choose the 
exploding or falling-apart window effect, even 
tooltips explode when they close. 

There are several different effects to play with, 
all of which should impact your productivity nicely, 
at least for a little while. And remember, if your 
patron ever comes by your desk and asks what you 
are doing with all these fancy exploding windows, 
animations and what not, say you are doing your 
job—system administration. 

We may well be able to change just about 
anything on our systems, but sadly, mes amis, 
there is little we can do to change the time on 
the wall. There is still plenty of wine, however, 
and Francois will be offering some of that amazing 


Figure 7. Windows look better when they fall apart as 
they close. 


100th birthday cake along with some fantastic 
café au lait after you finish your wine. In closing 
this 100th Cooking with Linux, | want to thank 
you all for coming each and every month. My 
thanks also to Tony Aspler for his wine sugges- 
tion and to my ever-faithful waiter, Francois. 
When you've finished taking your bows, Francois, 
please make sure everyone's glass is refilled. 

Raise your glasses, mes amis, and let us all drink to 
one another's health. A votre santé! Bon appétit!m 


Marcel Gagné is an award-winning writer living in Waterloo, Ontario. He is the 
author of the Moving to Linux series of books from Addison-Wesley. He also makes 
regular television appearances as Call for Help’s Linux guy and every month on 
radio's Computer America show. Marcel is also a pilot, a past Top-40 disc jockey, 
writes science fiction and fantasy, and folds a mean Origami T-Rex. He can be 
reached via e-mail at mggagne@salmar.com. You can discover lots of other things 
(including great Wine links) from his Web site at www.marcelgagne.com. 


Resources 


GNOME: www.gnome.org 


KDE 4 Visual Guide: www.kde.org/ 
announcements/4.0/applications.php 


Marcel’s Web Site: www.marcelgagne.com 


The Order of Canada: www.gg.ca/honours/ 
nat-ord/oc/index_e.asp 


Tony Aspler, The Wine Guy: 
www.tonyaspler.com 


Webmin: www.webmin.com 


The WFTL-LUG, Marcel’s Online Linux User Group: 
www.marcelgagne.com/wftllugform.html 
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DAVE TAYLOR 


Twittering from the 
Command Line 


Incessant status updates to your cell phone from the command line? 
Sure, with a little help from curl and Twitter. 


If you’ve been around the Linux and UNIX world 
as long as | have (is it really going on 30 years? How 
could that be?), you'll be familiar with the various 
attempts at multiperson chat that have come down 
the pipeline, from simple command-line tools to the 
curses-based “talk” program to Internet Relay Chat 
(IRC) chaos. Occasionally fun, but often a complete 
waste of time, there’s still something appealing 
about having an open line with a circle of friends 
and colleagues. 

A few years ago, that mantle was assumed by 
the status line in Facebook, where hard-core users 
update their status throughout the day to reflect 
the meetings they're attending, conferences they're 
involved with, dates with their spouses or significant 
others, concerts, fights with parents and so on. The 
problem is, that’s useful only if the people in your 
circle are also rabid Facebook fanatics—a shortcom- 
ing that's true of any of these services, of course. 

Simultaneously, flashmob instigators found that 
Web-based tools could help them organize, and ser- 
vices like Dodgeball were created. (A flashmob is a 
spontaneous gathering of people organized by cell 
phone or text messaging.) Dodgeball was bought by 
Google and then strung out to die, but the meme 
of status messages as a form of shared communica- 
tion continued to evolve, and the latest evolution is 
a weird, sometimes overly voyeuristic, on-line service 
called Twitter (visit twitter.com). 

During the past few months, | have found Twitter 
oddly compelling, in a manner perhaps analogous to 
Jirnmy Stewart being unable to tear himself away 
from his binoculars in Rear Window (even while the 
breathtakingly gorgeous Grace Kelly was administer- 
ing to him, but that’s another column entirely). 
Twitter is immediately useful if a group of people are 
at a conference, allowing you to meet up easily for 
meals, evening activities, shared cab rides and so on, 
but it's also rather fun to keep a running commen- 
tary of your goings-on and know what your friends 
and associates are doing too. 

Twitter works directly from a Web page and 
also is completely short message service (SMS)- 
compliant too, so it’s extraordinarily cell-phone- 
friendly, adding significantly to its utility. 

Okay, nice history lesson. What about some sort 
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of shell script, Dave? 

What makes Twitter interesting to me is that 
like so many modern Web services, it has a public 
application programming interface (API) that makes 
it both easy and fun to hack and fiddle with. 
Although some of the so-called Web 2.0 services 
are still closed, more and more are making their 
back ends accessible to open queries, creating many 
possibilities for darn interesting shell scripts and 
more sophisticated software and mashups. 

For this column, | want to show you how incred- 
ibly easy it is to update your Twitter status from the 
Linux command line, and then noodle a bit on how 
this could be used for useful, interesting or just 
mundane tasks. To tantalize you, imagine that you 
could launch a big software build and have it text 
your cell phone when it was done, rather than you 
having to sit at your office. 

First, though, you can find the API at twitter.com/ 
help/api. Read through it, and you'll find that just 
about all interactions are done with specially construct- 
ed URLs. That's good, because it’s easy to manipulate 
and tweak a string within a shell script. 

The most basic use of the Twitter API is to send 
a status update message to your account. Here's an 
example of how to do that: 


curl --basic --user "$user:$pass" --data-ascii \ 


"status=testing123" http://twitter.com/statuses/update. json 


You can see one of the big challenges of 
writing this as a shell script already. User validation 
is done through sending an account name and 
password pair, and that means you're probably 
going to have the password embedded in your 
script. Never a good idea. But, prompting for it 
each and every time you want to send an update 
isn't good either. 

Before we address that though, notice how I’m 
utilizing the wonderful curl utility—a must-have for 
your Linux distro. If you don’t have it, grab a copy 
from curl.haxx.se. curl makes it very easy to work 
with Web pages via the command line, and | consider 
it essential for any modern shell script programmer. 

Looking back at the command invoked, you'll 
notice that the URL to which we are going to send the 


update is status/update.json. Read the API, and you'll notice that 
it supports four different output formats, all of which are a pain 
to parse within a script, unfortunately. One of those is json, and it 
re-occurs here as the update-receiving URL address. 

If you've already worked with Web sites from the com- 
mand line, you know there are lots of illegal characters that 
cannot be included in URLs and, by extension, on command 
lines of utilities that interact with the Web, such as curl. As a 
result, one of the tasks of our send.twitter.update script will be 
to make all of the necessary substitutions before sending the 
new status message to the Twitter server. 

On a lightweight service like Twitter, | think it’s probably 
crazy to go through too many hoops to ensure security, so | 
actually will be including the account name and password in 
the script. Given some of the suggested applications we'll 
explore later, it makes sense to create a new Twitter account 
just for the command-line updates, in which case, a shared 
password isn’t that big a problem anyway. 

Here's a first stab at a simple stu (sent twitter update) script: 


#!/bin/sh 
user="DaveTaylor" 


pass="--mypw-- 
curl="/usr/bin/curl" 


$curl --basic --user "$user:$pass" --data-ascii \ 
"status= echo $@ | tr ' ' 't+'°" \ 
"http://twitter.com/statuses/update. json" 


exit 0 


In use, simply type in the script name and desired 
status update: 


$ stu Writing makes me sleepy 

{"user":{"name": "Dave Taylor","description":"Blogger, entrepreneur, public 
speaker, dad!","screen_name":"DaveTaylor", "profile_image_url": 
"http: \/\/s3.amazonaws.com\/twitter_production\/profile_images\ 

‘=> /35534842\/dticon_normal.gif", "location": "Boulder, 

Colorado", "url": "http:\/\/www.AskDaveTaylor.com\/","id":9973392, 
"protected": false},"created_at":"Sat Jan 12 21:31:37 +0000 

=>2008", "truncated": false,"text":"Writing makes me 
™sleepy","source": "web", "id":592217322} 

$ 


Eek. That’s a scary output, isn’t it? So, before wrapping up 
this column, | strongly suggest that immediately after the 
invocation of curl, you append >& /dev/null, so you can 
discard the output. If you want to be fancy, check $? to 
see whether it’s nonzero, but let's talk about that level of 
improvement in the next column.— 


Dave Taylor is a 26-year veteran of UNIX, creator of The Elm Mail System, and most recently 
author of both the best-selling Wicked Cool Shell Scripts and Teach Yourself Unix in 24 Hours, 
among his 16 technical books. His main Web site is at www.intuitive.com, and he also offers up 
tech support at AskDaveTaylor.com. Follow him on Twitter if you'd like: twitter.com/DaveTaylor. 


ASA 
COMPUTERS 


Wane your Guetnece to be more productive? 
The Servers powered by the Intel Xeorf Processor provide the 
quality and dependability to keep up with your growing business. 


Hardware Systems for the Open Source 


Community-Since 1989 
(Linux, FreeBSD, NetBSD, OpenBSD, Solans, MS, etc 


+ ITB Storage installed. Max- 3TB. 
mJ 1U Duel cere 6030 CPU (Qty-1), Max - 2 CPUs 
- 1GB 667MGZ FBDIMMs Installed. 
- Supports 16GB FBDIMM. 
a ee tg + 4X250GB htewap SATA-II Drives installed. 
ao - 4 pert GATA-M RAID controller 
» 2%10/100/1000 LAN onboard. 


+ 47TB Storage installed, Mex- 1278. 

- 3U Duel core 5050 CPU. 

- 1GB 667MGZ FBDIMMs Installed. 

- Supports 16GB FRDIMM. 

- 16 pert SATA4! RAID controller. 

+ 16X250GB Newap SATA-II Drives installed. 
- 2%10/100/1000 LAN onboard, 

- 200w Red PS 


- 4TB Storage installed. Max - 12TB- 
- 3U Dual core 5050 CPU. 

- 1GB 667MGZ FBDIMMs Installed. 

- Supperte 1648 FROIMM 

- 16X250G8 htswap SATA-1! Drives installed 
- 16 pert SATA-II RAID controtter 

- 2X%10/100/1000 LAN onboard. 

- 800w Red PS 


- 6TB Storage installed. Max - 18TB. 

~ 5U Duo! core $050 CPU, 

- 44GB 667MGZ FBDIMMs Installed. 

» Supports 16G8 FaRDIMM 

- 24X250GB8 hewap SATA-HM Drives instotied 
- 24 port SATA-II RAID. CARD/BRU 

» 2%10/100/1000 LAN onboard. 

- 930w Red PS. 


+ 10TB Storage installed. Max - 30TB. 
- 8U Dual core $050 CPU. 
- 2%5050 instaiied 

14B 667MGZ FBOIMMs 
- Supports 32GB FROIMM 
+ 40X250GB hiswap SATA-1! Drives installed. 
- 2X12 Port SATA-II Muttilane RAID controller. 
- 1X16 Port SATA-II Multtilane RAID controller. 
- 2%10/100/1000 LAN onboerd. 
- 1850 W Red Ps. 


All systems installed and tested with user's choice of Linux 
distribution (free). ASA Collocation—$75 per month 


A. fe 


2354 Calle Del Mundo, 
an Clara, CA 95054 
Xeon 
inside 


P: 1-800-REAL-PCS | FAX: 408-654-2910 


Intel®, Intel® Xeon™, Intel Inside®, Intel® Itanium® 
and the Intel Inside® logo are trademarks or registered 
trademarks of intel Corporation or its subsidiaries in 
the United States and other countries. 


Prices and availability subject to change without notice. 
Not responsible for typographical errors. 


Powerful. 
Efficient. 


COLUMNS 


| PARANOID PENGUIN 


MICK BAUER 


Security Features in 
Ubuntu Server 


Use old-school administration skills to benefit from modern tools on 


Ubuntu Server. 


Last month, | offered a survey of security features 
in Ubuntu Desktop 7.10, a single-CD Linux distribu- 
tion that combines the flexibility of Debian with a 
very easy-to-use set of graphical setup/administra- 
tion tools. Ubuntu also comes in a server version, 
which in some ways is just a re-configuration of 
Ubuntu Desktop, but nonetheless, it’s a different 
distribution in its own right. 

This month, | survey some of the major security 
features in Ubuntu Server 7.10. Unlike Ubuntu 
Desktop, Ubuntu Server is probably the wrong 
choice for complete Linux newcomers. It’s extremely 
command-line-centric, and its documentation is 
not exactly encyclopedic. Accordingly, this month's 
column assumes you've got a basic understanding 
of how Linux works and some comfort with the 
command prompt. 


Ubuntu Server vs. Desktop 
There are several key differences between Ubuntu 
Server and Ubuntu Desktop. First, and most 
obvious, is the lack of any graphical tools. Ubuntu 
Server doesn’t install the X Window System auto- 
matically. This has become an increasingly rare 
approach, even with server-oriented Linux distribu- 
tions. But, as | explain shortly, omitting the X 
Window System improves system security and 
performance and decreases system complexity. 
Second, Ubuntu Server installs a much smaller 
set of packages overall than Ubuntu Desktop. (In 
fact, there’s ample room on the Ubuntu Server CD 
image to add things of your own—watch this col- 
umn for a future series on customizing and building 
your own bootable CD images.) You might think 
this means that Ubuntu Server offers fewer choices 
in server applications, but as | show here, these 
aren't fewer choices than on other popular server- 
oriented distributions. And besides, you can install 
additional Ubuntu packages easily over the Internet. 
The last major difference worth noting is that 
Ubuntu Server's default kernel is tuned for server 
performance, whereas Ubuntu Desktop’s default 
kernel is tuned for maximum responsiveness. An 
article by Carla Schroder on these differences 
details some specifics as to how this is achieved 
(see Resources). 
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Did Mick Just Say, “No Graphical Tools?” 
Yes, you read that right. By default, Ubuntu Server 
is a purely console-driven distribution. On Ubuntu 
Server, you do things the old-school way, with shell 
sessions, man page lookups and the vi editor. 

Of course, there's nothing to stop you from 
installing the X Window System, complete with a fully 
packed KDE desktop environment, OpenOffice.org 
and Tux Racer. Ubuntu’s download repositories 
don’t distinguish between Server and Desktop, 
so you can install whatever you like. However, 
| very strongly suggest you resist the temptation 
to install the X Window System on your Ubuntu 
Server system. 

When the first edition of my book Linux Server 
Security came out (which | try not to plug here, but 
this is after all an article on Linux server security), 
one reviewer complained bitterly about my advice 
to omit the X Window System from server installa- 
tions. But, for years I’ve stood firm on this advice. 
The X Window System increases complexity. It has a 
history of “local privilege escalation” vulnerabilities 
(that can often be exploited remotely), and it always 
imposes a significant performance penalty. 

“Keep it simple” is one of the most important 
tenets of good system security. If you don't need 
something, you should live without it. And, in most 
server scenarios, when a system's primary function 
is to provide various network services, and wherein 
what little “interactive” access necessary for admin- 
istration can be done remotely, it’s hard to justify 
the increased attack surface and overall complexity 
that come from running X. 

Besides, even in Ubuntu Desktop, many if not 
most serious configuration and security tasks at 
some point require you to open a terminal and issue 
commands with sudo. If you want to be an Ubuntu 
system administrator (or more than a novice at 
Linux in general), there’s no getting around needing 
to be able to cope with the command line. So | 
applaud the Ubuntu team’s common sense (and 
courage) in keeping the X Window System out of 
the default installation of Ubuntu Server. 

If you really need a GUI experience in adminis- 
tering your Ubuntu Server system, there are remote 
administration tools you can use (Webmin, for 


example—see Resources, and also see Federico 
Kereki's article “Graphic Administration with 
Webmin” on page 64) that provide this without 
requiring X on the server itself. 


Ubuntu Server Installation 

As l've often said, security begins with operating 
system installation. This is where you decide your 
system's role, what set of applications will run on 
the machine, and what type and degree of user 
access it will support. So, to what degree does the 
Ubuntu Server installer help system security? 

The Ubuntu Server installer is very similar to the 
Ubuntu Desktop installer, except that the Server 
installer is, if anything, even more minimalist. It 
guides you through partitioning your hard disk, asks 
what category of software packages to install, walks 
you through creating a login account (not root), 
installs the software, and then, depending on what 
you installed, it may or may not ask you a few very 
basic questions with which it begins (barely) config- 


‘The installer can guide you sig ean epig eelene (using 
different standard schemes) if you preter, you can do it 
manually. With guided par itning you Will still have @ chance later 
to review and customise the resul 


i Sante: Sites emsltienine for en entire disk, will next 
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Partitioning method: 


~ use ub 
Guided - use entire disk and set up encrypted LH 
Manual 


™@ Can create encrypted disk volumes. 


m@ Doesn't ask you for a root password, because 
you never log on as root in Ubuntu. 


@ Is surprisingly fast, obviously thanks to its simplicity. 


Figure 1. Ubuntu 
Server installer 

offers encrypted 
volumes. 


uring one or more of those applications. 


The good news is that the Ubuntu Server installer: M@ Generally installs things with conservative, fairly 
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secure, default settings (which is actually a func- 
tion of packages’ individual installation scripts). 


The bad news is that the Ubuntu Server installer: 


Doesn't allow you to select specific/individual 
software packages; instead, it just asks you the 
general role the server will play (Figure 2). 


m@ Prompts you for the MySQL administrator's 
password, but doesn’t prompt you a second 
time to make sure you didn’t mistype it. 


m Doesn’t check passwords for complexity 
(uppercase/lowercase, numerals and so forth). 


Figure 2. Selecting Server Software Bundles 


After installation, you may notice that most if 
not all the server applications you installed (Apache, 
Postfix and so forth) are up and running, even 
though you haven't really configured them yet. 
You'll need to do that yourself by editing the 
appropriate configuration files in /etc. 

On the one hand, my personal preference is 
that, by default, network services should be dis- 
abled initially, to make it harder for an attacker to 
exploit an application that has been overlooked 
altogether or that is still in the process of being 
configured. On the other hand, because Ubuntu's 
default application configurations tend to be fairly 
secure, this probably doesn’t pose a huge risk. 

For example, immediately after installation, 
Apache is started, displaying a simple “It works!” 
page, which announces to the world that you've 
just installed Apache but haven't gotten around to 
configuring it yet. (Ow!) But, there's no obvious way 
for an attacker to exploit this. You can’t recurse out 
of the nearly empty default http root directory, 
default CGI scripts aren’t present and so on. 

If you're worried about this, you simply can shut 
down these newly installed services until you've con- 
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figured them. Or, better still, stage your new server on 
a protected LAN before connecting it to the Internet. 


How Not to Be Root in Ubuntu 
As | explained in last month’s column, Ubuntu is set 
up so that you never can actually log on as root. 
Instead, you create one or more nonprivileged login 
accounts that are authorized to execute root-privi- 
leged commands via sudo, the “superuser do” com- 
mand. This makes it harder to damage your system 
accidentally, and it has the security benefit of 
removing the root account as a viable attack vector, 
because root has no password and can’t log in. 

So, for example, whereas on a standard Debian 
system you might install the package foo with 
this command: 


aptitude install foo 
On Ubuntu, you'd use: 
sudo aptitude install foo 


After issuing any command with sudo, you'll be 
prompted for your own password, not root's, which 
will be cached for a brief period of time during 
which subsequent sudo commands won't require 
re-authorization. 

If you need to change sudo’s configuration 
(which determines who is authorized to run which 
commands, under what circumstances), you must 
use the visudo command to edit the file /etc/sudoers. 
The Ubuntu RootSudo Page (see Resources) provides 
more information. 


Installing Optional Software 
It's no coincidence that | used the aptitude com- 
mand in the above examples. Chances are, one of 
the first things you'll do after installing Ubuntu 
Server is install some additional software, and 
aptitude is Ubuntu Server's best tool for this job. 
Perhaps surprisingly, given that the Ubuntu 
Server distribution doesn’t even fill a 650MB CD- 
ROM, there are many useful packages from which 
to choose on the CD in its /pool directory. When 
you install Ubuntu Server, the installer also auto- 
matically configures the Advanced Package Tool 
(apt) system, for which aptitude is a front end, 
with the locations of some download repositories. 
In last month’s column, | described the Ubuntu 
repository structure in detail. In case you missed 
that, here’s a quick review: 


Main contains Ubuntu’s fully supported, fully 
patched, free software packages. 


m@ Restricted contains Ubuntu’s fully supported, nonfree 


(copyrighted) software packages. 


M@ Universe contains Ubuntu’s free but 
not fully supported/patched packages. 


m Multiverse contains packages that 
are neither fully free nor fully 
supported/patched. 


You might think that on a server sys- 
tem, universe and multiverse packages 
should be avoided, as they lack any 
guarantee of timely security patches or 
bug fixes. And, as a general rule, | think 
you'd be right. 

But, there are some notable packages 
in universe and multiverse that may be 
worth installing and sustaining whatever 
risk is entailed. One such package is 
Bastille (in universe), a comprehensive 
system-hardening tool you can uninstall 
after it does its thing. Another might be 
Tripwire (in multiverse), which is the clas- 
sic file integrity checker, though the main 
repository’s aide packages provide the 
same functionality and are fully support- 
ed by the Ubuntu security team. 

All of these packages are part of 
the main repository. Unlike with 
Ubuntu Desktop, however, these can 
be installed from the Ubuntu Server CD. 


Notable Ubuntu Server 
Packages 

Space does not permit me to include 
lengthy charts of security-related pack- 
ages like those | provided in the Ubuntu 
Desktop column last month. If | did, 
they would be very similar except for 
two things. 

First, | would omit security auditing 
tools, such as Nessus and tcpdump 
(though both are on the Ubuntu Server 
CD). You shouldn't install anything on 
any Internet server, or other multiuser 
system, that can be used by an attacker 
against the system itself or other systems 
on your network. Instead, you should run 
such tools from an administrative system, 
where they’re less likely to be abused. 

Second, you would see that many 
packages on Ubuntu Desktop must be 
downloaded from a main repository 
Web site. These are, in fact, provided on 
the Ubuntu Server CD under /pool. 
These include the following: 


aide M@ openssh-server 

auth-client-config @ libpam-opie 

apparmor @ shorewall 

chkrootkit @ slapd, Idap-utils 

cryptsetup @ squid 

dovecot-imapd @ vian 

exim4-daemon-heavy m vsftpd 

gnupg I'll leave it to you to explore the many 
other security-related packages available 


in the Ubuntu repositories. One of the 
best ways to do this is to look them up 


ipsec-tools 


libkrb53 on packages.ubuntu.com. 

sasl2-bin No Automatic Updates in 
Ubuntu Server 

libselinux1 Given the importance of patching to 


maintain system security, you might be 


libwrapO, tcpd surprised to learn that Ubuntu Server 
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doesn't have any specific mechanism for automatically 
downloading and installing security updates. | can 
explain why in two words: change control. 

On a production server that does real work, it’s 
a bad idea to apply any patches, even security 
updates, until after you've tested them on a similar 
server in a lab to make sure they don’t break any- 
thing. Sure, you can run the commands aptitude 
-y update, aptitude -y upgrade, aptitude -y 
dist-upgrade and aptitude -y autoclean froma 
cron job each night. But that -y option, which allows 
aptitude to run unattended, also might cause a 
package update to overwrite some custom configu- 
ration file with a default configuration. 

On a server, you're better off running these com- 
mands manually as needed, without the -y option 
(after first doing so on a test system if you run ina 
change-controlled environment). That way, you'll be 
prompted before any configuration files are overwrit- 
ten, and you'll be able to observe firsthand the 
changes aptitude makes to your system as they 
happen. Subscribe to the ubuntu-security-announce 
mailing list (via www.ubuntu.com/support/ 
community/mailinglists) to receive e-mail notifica- 
tions of security patches as they're made available. 


Novell AppArmor in Ubuntu 

As | discussed last month, the Ubuntu port of Novell 
AppArmor is installed by default in Ubuntu systems. 
This is true of both Server and Desktop. In Ubuntu 
Server, however, AppArmor is present but not 
configured; you'll need to activate any policies you 
want to enforce manually (AppArmor profiles reside 
in /etc/apparmor.d). 

If you're unfamiliar with AppArmor, it’s a power- 
ful means of running applications in contained 
environments, such that applications’ access to 
local resources is kept to a minimum. It’s similar to 
SELinux, but less comprehensive and, therefore, 
easier to understand and administer. 

However, on Ubuntu, no graphical tools are 
provided for this purpose, even in Ubuntu Desktop. 
What's more, the only Ubuntu documentation 
(besides man pages) is the AppArmor page on the 
Ubuntu User Community Wiki (see Resources), 
which is little more than a listing of commands and 
their command-line syntax; no HOWTOs or other 
introductory material are provided. 

For the time being, it appears AppArmor on 
Ubuntu Server is for expert users only. 


Conclusion 

I've discussed Ubuntu's sensible omission of the X 
Window System in its default installations, enumer- 
ated security features in the Ubuntu Sever installer, 
pondered the merits of the disabled root account, 
listed some security-enhancing software packages 
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available in Ubuntu Server and considered Ubuntu’s 
fledgling AppArmor support. 

My overall opinion? Ubuntu Server 7.10 is a 
remarkably compact, straightforward, command-line- 
oriented Linux distribution with a reasonably secure 
set of default configurations and an impressive array 
of fully supported, security-related software packages. 
(Fewer than Debian, but many more than CentOS or 
RHEL.) If you're an intermediate-to-advanced Linux 
system administrator, depending on what you need to 
do, Ubuntu Server may be worth checking out. 

If you're a Linux newbie looking for a gentle 
introduction to the Linux experience, Ubuntu 
Desktop is a much better choice, even if you want 
practice setting up server applications. 

That's it for now. Until next time, be safe! m 


Mick Bauer (darth.elmo@wiremonkeys.org) is Network Security Architect for 
one of the US's largest banks. He is the author of the O'Reilly book Linux Server 
Security, 2nd edition (formerly called Building Secure Servers With Linux), an 
occasional presenter at information security conferences and composer of the 
“Network Engineering Polka”. 


Resources 


The Official Ubuntu Home Page: www.ubuntu.com 


Ubuntu Server Guide: https://help.ubuntu.com/7.10/ 
server/C/index.html 


Christer Edwards’ blog, which consists almost entirely of 
handy Ubuntu HOWTOs: ubuntu-tutorials.com 


“Ubuntu Server: Considering Kernel Configuration” by 
Carla Schroder: www.enterprisenetworkingplanet.com/ 
netos/article.php/3710641 


Home Page for Webmin, a Free Web-based GUI for 
Remote Server Management: www.webmin.com 


The Ubuntu RootSudo Page, Describing Ubuntu’s sudo 
Implementation in Detail: https://help.ubuntu.com/ 
community/RootSudo 


Security Pages on the Ubuntu User Community's Wiki: 
https://help.ubuntu.com/community/Security 


AppArmor Page on the Ubuntu User Community's Wiki: 
https://help.ubuntu.com/community/AppArmor 


The “Securing Debian Manual”, Indirectly Applicable 
to Ubuntu: www.debian.org/doc/manuals/ 
securing-debian-howto/index.en.html 


Bauer, Michael D. Linux Server Security, 2nd ed. 
Sebastopol, CA: O'Reilly Media, 2005. Provides detailed 
procedures for securing popular server applications. 
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superior capability in a scalable, well-balanced computing 
platform delivering 6TF to 1000TF of computing power. It is 
supported by the Appro Cluster Engine™ Management Software, 
a complete lights-out remote management system, providing 
high availability, scalability and manageability. 
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KYLE RANKIN 


Mutt Tweaks for 
System Administrators 


If digging through your server e-mail bogs you down, use these tips 
to organize and tweak your mutt configuration and cut through that 
mailbox like a letter opener through an envelope. 


| am one of those people who stores everything in 
e-mail. Travel reservations, phone numbers—f it is 
in an e-mail message, | know one way or another | 
can find the information. That might be one of the 
reasons | have been using mutt as my main mail 
program both at home and work for years. It is 
difficult to beat when you need to read, search and 
navigate large mailboxes full of mail. That, and it has 
vi-style key bindings. | love vi-style key bindings. 

If you are a sysadmin, there are even more rea- 
sons to love mutt. For one, you probably spend a 
good deal of your day in front of a terminal, so 
why not read your mail from there as well? A lot of 
administrators like to run stripped-down servers that 
don't include binaries for X or graphical tools, but 
mutt is small, and what's more, you can ssh to a 
server or your work desktop from another machine 
and check your mail. 

At work, | like to segregate my e-mail into fold- 
ers, based on whether a message is from a person 


Essentially, it allows mutt to cache the 
headers from mailboxes, so that the next 
time you load the mailbox, it has to pull 


down only the new messages. 


or a server (and, of course, | segregate them further 
from there). If you manage a lot of servers, those 
mailboxes can start to get rather large. Almost 
nothing compares to mutt when you need to open 
a mailbox with a few thousand new messages. This 
brings me to my first almost-essential mutt tweak: 
header caching. 

Header caching is a feature that has shown up 
in mutt only in the past few years. Essentially, it 
allows mutt to cache the headers from mailboxes, 
so that the next time you load the mailbox, it 
has to pull down only the new messages. This 
is particularly handy with IMAP servers or even 
large local mailboxes. 

To enable header caching, create a directory 
called .muttheaders in your home directory, then 
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add the following line to your ~/.muttrc, and restart 
mutt or reload your mutt config: 


set header_cache="~/.muttheaders/" 


Separate Mutt Configs 

This tweak is, in some ways, more organizational, 
and it’s handy not only for sysadmins but also for 
anyone who runs mutt on multiple machines. Many 
mutt guides will tell you to split .muttrc into multi- 
ple files for different types of configuration, so you 
can have one file that has all of your color options, 
another with your key bindings and so forth. Then, 
you simply can add a source line to your .muttrc file 
that points to the new file, and mutt will load those 
options as well. 

What | like to do is take it a step further and 
create a .mutt directory in my home directory and 
place all of those files including my .muttrc in that 
directory. Then, | create a new file in my home 
directory called .muttrc.local. In this file, | store any 
options that are specific to just that particular 
machine (IMAP settings, local mailbox locations and 
so on) and keep the rest of the options organized in 
different files in the .mutt directory. Finally, | create a 
symlink from ~/.mutt/.muttrc to ~/.muttrc, so mutt 
still will be able to find it. In this .muttrc, you would 
find source lines like: 


source ~/.muttrc. local 
source ~/.mutt/colors 
source ~/.mutt/aliases 
source ~/.mutt/mailboxes 


The advantage to this arrangement is that once | 
make a change to any of the files in .mutt, | simply 
can rsync that entire directory to any other machine 
on which | run mutt, and all of my changes will 
be there. If | didn’t segregate these to a directory 
and separate .muttrc.local, | would have to worry 
that any local settings from one machine would 
clobber the rest. 


Colorize Important Words 
If you read through a lot of cron, Nagios or other 


e-mail your servers generate for you, it’s easy to let your eyes 
glaze over and miss important content. What | like to do is 
tweak my mutt configuration so that certain words, like warn- 
ing, are colored in bright yellow, and words like error and fail 
show up in bright red. This is surprisingly easy to do with mutt 
in only a few lines: 


color body brightyellow default warning 
color body brightred default error 

color body white default 'no error' 

color body brightred default "fail(ure|ed)?" 


Notice the line that matches no error. | noticed that some 
messages said “no error” in them, and the error section still 
was being colored red. If this happens with your keywords, 
simply add a similar line in there to override the previous less- 
specific match. You don't have to limit yourself to just these 
keywords. For instance, you also could highlight certain server 
names with a particular color or assign different data-center 
locations distinct colors. 


Read Important Messages First 

Once | had colorized all my e-mail, it was great—l would 
browse through output and more critical e-mail would 
jump to my attention. As the number of messages started 
to grow though, | noticed | would spend a lot of time 
reading the less-important messages before | found the 
important ones. My solution was to use the limit feature in 
mutt. When you are in the index view in mutt (where mutt 
shows you only the From and the Subject lines), you can 
tell mutt to limit (the | key by default) the headers you 
currently can see based on a pattern. 

For instance, if | wanted to see only all the headers that 
said Bob, | could type 1 and then Bob <Enter>. Then, to see 
all the headers again, | could type 1 and then all <Enter> 
to show all messages. You also can have mutt search with- 
in the body of messages, so | created a mutt macro that 
| bound to the F3 key, so that when | see the full list of 
headers and press F3, it limits the view only to new mes- 
sages that contained error or fail in them. | could read 
those messages first and then change the limit back to 
all and tab through the rest. Here is the extra line in my 
.muttrc to create the macro: 


macro index <F3> "1~N ~b \"([\4nN] [\%00] .error| [Ff] [Aa] [li] [L1])\"<enter>" 


| constantly am surprised with how far you can extend 
mutt. It is definitely one of those programs that gives your 
time back in gained productivity as you learn more about its 
configuration options. If you use your e-mail to remember 
things, or dig through a large stack of server e-mail every day 
(or even if you don’t), mutt is an invaluable e-mail companion 
that always has new tricks.m 


Kyle Rankin is a Senior Systems Administrator in the San Francisco Bay Area and the author of a 
number of books, including Knoppix Hacks and Ubuntu Hacks for O'Reilly Media. He is currently 
the president of the North Bay Linux Users’ Group. 
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| NEW PRODUCTS 


The Amanda Company's Vdex-40 


The solutions growing up around the Asterisk telephony engine and toolkit 


are plentiful. One of the latest is The Amanda Company's Vdex-40, reputed © 
to be the first embedded Asterisk-based system to enhance voice quality. 


», 
~. 


The secret, according to the company, is “the inclusion of multiple micropro- 


cessors as well as DSPs”. The Vdex-40 ships with 16 G.711, G.723.1, G.726 
and G.729a/b voice codecs (a mix of 16 concurrent codecs), hardware-based 


G.168 echo cancellation and four built-in telecom line ports. Amanda also 


touts the Vdex-40's elimination of moving pa 


rts, such as fans and hard drives, which further improves the product's reliability. 


Despite its technological advancements, the Vdex-40 is intended to be an affordable, Internet-enabled telephone system for the 


needs of the small office/nhome office market 


www.taa.com 


Hyperic’s Hyperic HQ 


If you are managing high-volume Web infrastructures, check out the new version 
3.2 of Hyperic HQ from Hyperic, Inc. HQ’s value proposition is an open-source 
solution offering “hands-free monitoring and management for Web-scale 
systems”. HQ supplies performance and event data, product coverage and 
the functionality operations teams need to discover, diagnose and deliver a 
solution in a single tool. Version 3.2 adds features, such as cross-platform diag- 
nostic tools, Nagios support and MySQL support with up to 1.5 million trans- 
actions per minute. Hyperic also counts CNET as one of its customers. Linux 
support includes Red Hat and Fedora. The standard edition and a three-device 


trial enterprise edition of Hyperic HQ are avai 
www.hyperic.com 


fossology 
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SIMPOL's Developer Kit with Desktop 


The goal of the British firm SIMPOL is to simplify cross-platform software develop- 
ment, which has been advanced recently with two new products: the SIMPOL 
Developer Kit and SIMPOL Desktop. First, the SIMPOL Developer Kit, using the 
SIMPOL programming language with redistributable libraries, provides the compo- 
nents necessary for creating applications of many types, such as desktop, Web 
server and standalone server. Future releases will support application development 
for Mac OS X, Windows CE and SymbianOS. Second, the SIMPOL Desktop, which 
works with the Developer Kit, is a lightweight end-user database product that 
enables users to build data-rich applications without programming and to modify 
sample applications. One can create an application based on database tables, 
forms and reports. Applications can be deployed by writing them as extensions to 
SIMPOL Desktop rather than re-inventing all the functionality over again. 


www.simpol.com 


lable at Hyperic’s Web site. 


Hewlett-Packard’s FOSSology 


Keeping track of the licensing conditions of the complete source code of an open-source 
project can be a pain. Such pain stimulated HP’s FOSSology Project, a tool that quickly 
and accurately describes how a given open-source project is licensed. FOSSology analyzes 
all the source code for a given project and reports all the licenses being used, “based on 
the license declarations and tell-tale phrases that identify software licensing”, says HP. The 
goal of FOSSology, which literally means “the study of FOSS”, is twofold. First, HP seeks 
to allow IT organizations to adopt open-source software confidently, as well as to uncover 
what open-source software is being used within their environments. Second, HP seeks 
to support open-source developers and distributors to create a clear licensing picture of 
the projects and packages they produce. The tool is available to all in order to promote 
a more vibrant, open community of open-source users and contributors. 


fossology.org 


NEW PRODUCTS [| 


Embedded Projects’ USBprog 


Developers of embedded systems are typically faced with the challenge that 
every new controller needs a separate debugging or programming adapter. 
These often either are not available or disappointing on the Linux platform. 
To the rescue is Embedded Products’ USBprog, a free, universal program- 
ming adapter with a bootloader and tools that allow one to change the adapter’s 
functionality via open-source software easily. Users can install different firmware versions from 
an ever-growing on-line pool over USB. The adapter can be used for programming and debugging AVR 
and ARM processors, as a USB-to-RS232 converter, as a JTAG interface or as a simple I/O interface. 


www.embedded-projects.net/usbprog 


Navicron’s Fusionplatform and Fusionsoftware 


Pushing the envelope on mobile wireless devices, Navicron recently introduced two new 
products: fusionplatform, a reference, high-performance, mobile entertainment engine; and 
fusionsoftware, a Linux-based platform with a GTK-based front end for application develop- 
ment. Navicron stresses the integration value of the two products that are “designed from the 
ground up and optimized for wireless consumer electronics and handheld products based on 
Linux” or other OSes. Fusionplatform contains a powerful multimedia application processor 
and support for the latest wireless standards and multimedia features. Components can be 
added, left out and upgraded/downgraded simply. Navicron also cites advantages from using 
open source, which offers “unparalleled mobile multimedia experiences to consumers”. 


www.navicron.com 


Azingo’s Azingo Mobile 


In yet another instance of Linux's agility on diverse devices, Azingo has released 
Azingo Mobile, a suite of open mobile software and services that help companies 
deliver rich multimedia experiences to a wider range of mobile phones. Based on 
LiMo Foundation specifications, the suite allows handset makers and operators to 
“plug in” a comprehensive and pre-integrated mobile middleware framework that 
provides a variety of out-of-the-box applications and an Eclipse-based SDK. Azingo 
says that the product accelerates time to market and allows for lower-cost phones to 
offer the latest multimedia and UI innovations. The Linux-based software platform 
also includes a feature-rich browser; a highly configurable Ul; media players for 
music, video and photos; a mobile-optimized Linux kernel and more. Finally, Azingo 
says that its platform can be integrated into new handset and chipset designs. 


www.azingo.com 


No Tech Hacking by Johnny Long and Kevin Mitnick (Syngress) 


If security is on your shoulders, you may want to get insights from the new book No Tech 
Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing by Johnny Long 
and Kevin Mitnick and published by Syngress. No Tech is an irreverent, behind-the-scenes memoir 
of two professional hackers wreaking havoc. Long and Mitnick take the readers along as they 
break in to buildings, slip past industrial-grade firewalls and scores of other high-tech protection 
systems put up to thwart intruders. After hundreds of jobs, the authors reveal their secrets behind 
bypassing every conceivable security system. Included are photos, videos and stories that show 
how vulnerable the high-tech world is to no-tech attacks. 


Wwww.syngress.com 


Please send information about releases of Linux-related products to James Gray at newproducts@linuxjournal.com or New Products 


c/o Linux Journal, 1752 NW Market Street, #200, Seattle, WA 98107. Submissions are edited for length and content. 
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REVIEWS 


SOFTWARE 


VMware Server 2.0 Beta 


An overview of the promising VMware Server 2.0 Beta. JES HALL 


VMware Server 2.0 Beta is the next 
evolution in the free-as-in-beer virtual- 
ization line. It's able to run on both Linux 
and Windows and virtualize a wide 
range of guest operating systems. We 
tested out the beta on Ubuntu 7.10, 
running on an Intel Core 2 Duo 6600 
at 2.4GHz with 2GB DDR2 memory. 

The new features available in the 
beta include: 


@ Web-based management interface. 


m@ New supported operating systems, 
including Vista Business and Ultimate 
(host only), Windows Server 2008, 
RHEL 5 and Ubuntu 7.10. 


m Up to 8GB of memory per VM (up 
from 3.6GB). 


m@ Up to two virtual SMP processors. 
m Up to 64 VMs per host. 


m@ VIX API 1.2—scripting API for 
automation. 


m Support for VMI, enabling transparent 
paravirtualization for supported guests. 


The installation routine hasn’‘t 
changed from that on almost every 
VMware product on Linux for the last 
five years. The console-based wizard is 
relatively easy to follow. So far, the beta 
doesn’t have any real user authentica- 
tion methods; it expects the root user 
name and password to log in to its Web 
interface. Ubuntu users need to enable 
the root account by setting a root 
password to use VMware Server. 

The traditional-looking VMware con- 
sole has been done away with entirely, 
and the FAQ and release notes seem to 
imply that a standalone VMware con- 
sole cannot be used to access the virtual 
machines, although we were unable to 
confirm this. Instead, the Web interface 
is intended to be the entire interaction 
point between the user and the 


Reedy to Complete 
Contents 


1. Guest Operating System 


Virtual Machine Name: 
Virtual Machine Location: 
Guest Operating System 
Processors 

Memory 

Network Connection. 
Nard Oreck Type 

Hard Orsk Capacity 
Hard Disk Location: 
Allocate space now 
Spit disk inte 2 GB files 
Hard Disk Adapter Toe 


Desk Capacity and Location 
7 Virtual Machine Compatibility 


6 Ready to Complete 


Please verify that your mew virtual machine is 


The following virtual machine will be created 


configured appropriately 


‘SUSE Unux 
(standard) 
‘Suse Unux (92-bit) 


Figure 1. Defining a Virtual Machine Using the Web Interface 


VMware processes. 

The Web interface looks extremely 
professional and appears as though it 
has been designed specifically for Server, 
as it bears little resemblance to that 
found in VMware's flagship virtualization 
platform, ESX Server. The interface feels 
a little clunky to use and is slow to 
respond. Occasionally, buttons simply 


However, when the 
plugin is working, it 
works exceptionally 
well with surprising 
performance—an 
impressive feat. 


would refuse to react until the Web 
browser had been refreshed. The console 
to access virtual machines directly has 
been implemented as a browser plugin 
that the sever prompts you to install 
when you first attempt to navigate to the 
Console tab. The plugin seems to work 
only for Firefox running on Windows or 
Linux; Internet Explorer or Mac OS X 
users seem to be clear out of luck. 

The plugin seems extremely buggy, 
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often requiring a refresh of the browser 
window before it will work again. The 
console also often crashes the browser— 
quite a major irritation. However, when 
the plugin is working, it works exception- 
ally well with surprising performance—an 
impressive feat. If the stability issues can 
be straightened out, it’s an exceptionally 
powerful tool. On the server side, the 
version of Tomcat bundled with VMware 
Server occasionally would malfunction 
until the process was restarted, sending 
TCP RST to the browser. 

When it’s up, the interface to define 
or add virtual machines is cumbersome. 
First, a data store has to be defined, 
and the dialog to open VMs, CD images 
and any other file type does not support 
browsing outside that data store. Given 
that anyone logging in to VMware 
Server runs as root, we imagine there 
might be some security implications of 
allowing VMware access to the entire 
filesystem, but because VMware Server 
runs as root, there definitely are some 
security implications, as it can do what- 
ever the heck it likes anyway. Hopefully, 
this design choice makes more sense 
when user authentication is implemented 
into the product later on—particularly if 
data stores can be defined only by a 
root user and can’t be modified later by 
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Figure 3. OpenSUSE 10.3 Running under VMware Server 2 Beta 


an unprivileged user. 

Every attempt to add any of our 
three already-configured Microsoft 
Windows virtual machines immediately 
crashed the browser. Unfortunately, for 
this reason, we were unable to test run- 
ning Microsoft Windows under VMware 
Server 2.0 Beta, not having any free 
licenses to create another Windows 
VM. We were able to add pre-existing 
Debian virtual machines that had been 
created in Workstation 6 for Linux. 

Server 2.0 Beta allows for the 


creation of two Virtual machine types: 
Server 2 and legacy. Server 2 VMs are 
Workstation 6-compatible and support 
ten virtual Ethernet devices instead of 
only three, as well as paravirtualization 
with a supported guest OS. Unfortunately, 
the compatibility of the new Server 2 
VM format seems rather buggy. Using 
the Server 2 option seems to guarantee 
a VM that does not work on Workstation 
6, VMware Player 2 or VMware Fusion 
1.1, all of which should be able to 
open them. 


The performance was 
exceptional in every 
area—feeling almost 
as though we were 
sitting in front of a 
reasonably spec'd 
machine running the 
OS natively. 


We decided to install an OpenSUSE 
10.3 virtual machine to test the perfor- 
mance of the console interface with a 
heavy graphical desktop environment. 
The performance was exceptional in 
every area—feeling almost as though 
we were sitting in front of a reasonably 
spec’d machine running the OS natively. 
The in-browser console rendered the 
desktop beautifully without a single 
glitch. The mouse performance was 
slightly subpar, but this is an issue we 
have found on almost every virtualiza- 
tion platform we've tried. It looks very 
much like VMware Server has caught up 
with Player, Workstation and Fusion in 
leveraging the extra hardware features 
of the newer Intel and AMD architec- 
tures that accelerate virtualization. 

One aspect of the new beta that is 
above reproach is the documentation. 
The user manual is exceptional for a 
product in this stage of development, 
covering all conceivable aspects of using 
VMware Server. All other available 
documentation is polished and looks 
very complete already. 

VMware Server 2 looks like a very 
promising product. Unfortunately, it has 
massive showstopper bugs that make 
this seem more like a pre-alpha than a 
beta. The feature set, however, is rela- 
tively solid and particularly impressive 
given the price tag. If these issues can 
be worked through, the Web interface 
is a powerful enough tool that this 
could be a promising iteration in the 
VMware Server line.m 


Jes Hall is a Linux Technical Specialist and KDE developer 
from New Zealand. She's passionate about helping open- 
source software bring life-changing information and tools to 
those who would otherwise not have them. 
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REVIEWS 


HARDWARE 


IPod + Rockbox = 
Entertainment Extravaganza 


What's cooler than a box of rocks? Well, a lot, but not much is cooler than 
Rockbox on your iPod! SHAWN POWERS 


Wouldn't it be great if you could cus- 
tomize an iPod and run third-party soft- 
ware on it? Wouldn't it be great if you 
could download games and applications 
along with the songs and videos you 
already have? Wouldn't it be great if all 
those features were open source and free? 
Wish no longer. Rockbox offers all those 
things, wrapped in an easy-to-use installer. 
Rockbox is an open-source firmware 
replacement for a variety of music and 
video players. The interface is very similar, 
regardless of the device, and as | don’t 
have access to anything other than an 
iPod, this review focuses on it. You 
certainly don’t need an iPod to use 
Rockbox, but because Apple’s products 
are so popular, | was happy to see a wide 
variety of iPod models are supported. 
Check out the Rockbox Web site to see 
whether your media player will work. 


Installation 

To get Rockbox on your iPod, the devel- 
opers offer two options, automatic and 
manual. The automatic option appealed 
to my lazy nature, but unfortunately, it 
didn’t work for me. | think this was largely 
because my iPod was formatted with the 
HFS (Apple) filesystem instead of the 
FAT32 (Windows) filesystem. On an iPod 
with the FAT32 filesystem, the automatic 
installer is very slick and downloads the 
latest version of the programs directly 
from the Internet. | wish the automatic 
installer had worked for me off the bat, 
because then | could have just suggested 
you use it (which | still do) and forget 
about the manual stuff. 

Thankfully, the documentation is 
very helpful even if you are forced to 
use the manual method. Here's a brief 
overview of the procedure, but be 
sure to read the documentation before 
attempting it on your own. It’s not terri- 
bly difficult, but it requires extensive use 
of the command line. My suggestion is 


to try the automatic installation pro- 
gram first, and resort to the following 
method only if the installer doesn't 
work for you. 


Manual Installation Steps 

Go to www.rockbox.org, and click on 
Manual at the left. Find your specific 
device on the list, and go to the instruc- 
tion manual provided. The installation sec- 
tion is helpful, and following it will ensure 
success. Here's a rundown of the steps: 


1. If you have an iPod that was format- 
ted for use with OS X, you need to 
convert the filesystem to FAT32. 
You either can plug the iPod in to 
a Windows machine and have 
iTunes reformat it, or follow the 
directions provided in the Rockbox 
manual to reformat it with Linux 
command-line tools. 


2. Download the appropriate version of 
Rockbox from the Web site and extract 
it directly to the iPod. If done properly, 
there should be a folder on the iPod 
called .rockbox with the program 
inside. It should be at the root level 
of the iPod (not the root level of your 
computer), and because it starts with 
a dot, it won't be visible by default. 


3. Next, download the font package, 
available from the Extras section on 
the Web site. The font package is the 
same, regardless of what media play- 
er you have, so you can’t go wrong 
when downloading it. Just like with 
the Rockbox software, the fonts need 
to be extracted at the root level of 
the iPod. (The fonts actually reside 
inside the .rockbox folder, but the zip 
file is designed to be extracted at the 
root level of the iPod, and it will put 


Figure 1. The Rockbox bootup screen: if you see this, you've succeeded. 
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them in the correct place.) 


4. Finally, install the Rockbox bootloader. 
This is the part that causes the iPod 
firmware to load Rockbox instead of 
the original iPod software. Download 
the Linux version of ipodpatcher (link 
provided in the installation manual), 
and execute it as root: 


# chmod +x ipodpatcher 
# sudo ./ipodpatcher 


Assuming all goes well, you should 
see a message telling you the bootloader 
has been installed. Feel free to do a happy 
dance, and then hold down Menu + 
Select to reboot your iPod into Rockboxy 
goodness (Figure 1). If you have problems 
along the way, and corrupt the partitions 
on your iPod (as | did once), just plug it 
back in to your iTunes machine, allow it 
to repair itself, and start over. 


Rockbox Features at Your 
Fingertips 

Now that you have Rockbox installed, 
let's talk a bit about what you can do 
with it. Yes, with a name like Rockbox, 
your iPod now sounds threatening and 
weapon-like. And sure, if you throw it 
hard enough, you probably could hurt 
someone with it, but really, there are 
more productive things to do with your 
new media player. Let’s look at a few. 


Games 

Apple ships iPods with a few games, 
and the newer models allow you to 
purchase additional ones, but the sheer 
number of Rockbox’s available titles 
leaves the commercial alternatives in the 
dust. Although many of the games are 
the type you'd expect to see on a device 
the size of an iPod, one game surprised 
me—Doom. Seriously, as hard as it is to 
believe, id Software's Doom runs natively 
on the iPod (Figure 2). I'll admit, con- 
trolling it was a bit awkward, but 
there it was in all its glory. 

Although high on the cool factor, 
Doom wasn't the best game available. 
| found Bubbles (much like Frozen 
Bubble) and Jewels (much like Bejeweled) 
to be the most fun. Just like the com- 
puter version of these games, their 
iPod counterparts easily will suck hours 
of productivity from your life. You've 
been warned. 


Applications 

Along with the games, Rockbox also 
includes a handful of applications. The 
metronome was particularly useful, and 
the text editor was particularly difficult. 
I'm impressed there is a text editor at 
all, but the interface is severely limited 
by the lack of buttons. I’d rather use a 
cell phone to text-message an entire 
novel than try to write an article of this 
size with the Rockbox text editor. Still, 


Figure 2. Here’s Doom running on the iPod Mini. No, really, it is. 


Apple iPod 
Original Firmware 
Pros and Cons 


PROS: 
Simple, intuitive interface. 


m Automatic syncing with iTunes 
playlists. 


@ Ability to play DRM music from 
iTunes store. 


CONS: 


@ Limited to MP3 and AAC 
playback. 


@ Proprietary database is frustrating 
to interface with non-iTunes 
programs. 


@ Very limited number of games 
and applications. 


@ Not expandable, except for com- 
mercial games on some models. 


it’s nice to have the option. One oddity 
worth mentioning is that there’s not 
really a standard way to exit games and 
applications once they start. Sometimes, 
pressing the menu button exits. 
Sometimes, you must press the select 
and menu buttons. Other programs 
require you to press play and select in 
order to get back to the main Rockbox 
program. I’m sure this is because the 
different programs (or plugins, as they 
are called in the Rockbox interface) are 
developed by separate programmers, 
but | wish there was a standard in place 
regarding how to exit. 


Other Stuff 

Along with games and applications, 
there’s also a group of programs called 
demos. If you were a computer user 
back in the early 1990s, you may 
remember hacking groups releasing 
what they called demos, in which they 
would show off their programming skills 
and push the graphics processors of 
the time to their limits. These Rockbox 
programs follow a similar road, and 
the demos mainly show off the iPod's 
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graphics and processor. They aren't use- 
ful for much more than oohs and aahs, 
but they do make for interesting con- 

versation starters. The demos vary from 


Rockbox 
Replacement 
Firmware Pros 

and Cons 


PROS: 


m Numerous games, applications 
and demos available. 


® Customizable themes for varied 
look and feel. 


™ Supports more music formats. 


® Rockbox is open for develop- 
ment, changes, additions and 
third-party plugins. 


@ Music quality is better—or so they 
claim. (I can't tell the difference.) 


m Music management is simple 
and flexible. 


m@ Multiple dynamic playlists can be 
created on the fly. 


® Playlists are standard M3uU files. 


@ Allows for dual-booting, with 
the option to start original 
iPod firmware. 


CONS: 


m Very complicated due to a 
number of features. Playing 
music isn’t as simple as with 
the original firmware. 


@ Battery life isn’t as long as with 
the original firmware (a solution 
is in development). 

® Programs (plugins) don’t have 
consistent controls, especially 
for exiting. 


@ Can't read iTunes database. 


® Can't play DRM'd files. 
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a simple starfield simulation to a 3-D 
cube to a complex digital fire scene. 


Oh, It Also Plays Music 
and Video 
Rockbox has a plugin (again, that’s what 
these add-on programs are called) that 
allows playback of MPEG-1 and MPEG-2 
video. The main focus of the program, 
however, is to play music. Rockbox sup- 
ports pretty much any non-DRM music 
file, and Rockbox claims the audio play- 
back is better quality than with the orig- 
inal iPod software. Honestly, | can’t tell 
the difference, but perhaps audiophiles 
will notice the improvement. Locating 
and playing files is done mainly by 
traversing the folder structure on 
the drive. Rockbox also can create a 
database of information (Artist, Album 
and so forth), but unfortunately, it can’t 
read the database created by iTunes. 
To add insult to injury, if you try to find 
songs placed on the drive by iTunes, 
you'll find cryptically named files in 
equally cryptically named folders. 
Playlists are created easily in Rockbox, 
and it’s possible to create and save several 
playlists on the fly. They are standard 
M3U files, so uploading a playlist you've 
created on a computer is a fairly pain- 
less endeavor. Because the Rockbox 
iPod mounts as a standard USB drive, 
manipulating songs and playlists from 
the computer is literally as easy as drag- 
ging and dropping. Most Linux-based 
MP3-playing software, like Amarok or 
Rhythmbox, will recognize the Rockbox 
player as well. There's really not a best 
way to handle music management; it’s 
a matter of personal taste. 


The Verdict? 
What Rockbox does, it does very well, 
and very completely. | found the instal- 
lation procedure easy enough that 
everyone should be able to accomplish 
it, and yet it was geeky enough that | 
felt a level of satisfaction when it was 
complete. The number of features 
Rockbox has compared with the stan- 
dard iPod software is astronomical, 
but that’s only a good thing if you're 
looking for lots of features in your 
media player. Let me explain. 

| installed Rockbox, and played with 
games, demos and applications for a 
long time. Then, | played some music 
and realized one of the advantages 
the original iPod software has over 
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Rockbox—simplicity. If you just want to 
listen to music, without the complexity of 
multiple dynamic playlists, auto/manual- 
generated databases, playlist queue posi- 
tions and sound file gap lengths, you 
might want to consider sticking with the 
original software. Thankfully, the devel- 
opers even have admitted that to them- 
selves and offer a painless way to run 
the original software right alongside the 
new. If you reboot your iPod (hold down 
menu and select for 3-5 seconds) and 
immediately toggle the hold switch, the 
iPod boots the original firmware. So if 
you like everything about the Rockbox 
music player, except the way it plays 
music, don’t worry; you can have the 
best of both worlds. Well done, Rockbox. 


Final Thoughts 

I'm sure on an iPod with a color display, 
the features would have been even 
more visually appealing. Running it on 
the iPod Mini was a good way to com- 
pare it to the simplicity of the Apple 
firmware though. Rockbox does exactly 
what it says it will do. It met all my 
expectations and exceeded them in 
many areas (namely, the quality and 
quantity of games). Oddly enough, 
however, more often than not | found 
myself booting the iPod into the original 
Apple firmware. That's not to say | 
don't reboot into Rockbox when | have 
time to play around, but for listening to 
music, | have to give the advantage to 
Apple. The one thing I’m thankful for, 
is that with Rockbox, at least | have a 
choice. My choice is to keep both oper- 
ating systems on board, because quite 
honestly, they're both great.m 


Shawn Powers is the Gadget Guy at www.linuxjournal.com. 
He’s also the Technology Director for a K-12 school in 
northern Michigan. He loves to read science fiction and is 
quite a Star Trek fan. He's married to a beautiful woman 
and has three lovely daughters. Feel free to contact Shawn 
via e-mail at shawn @brainofshawn.com. 


Resources 


Rockbox: www.rockbox.org 


Apple's iPod Page: 
www.apple.com/ipod 


Creators of the Original Doom Game: 
www.idsoftware.com 
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A new age of environmental awareness appears to be upon 
us. The meteoric economic rise of India, China and other 
large countries has not only unleashed a spike in petroleum 
prices and the spectre of dry gas pumps in our lifetime, but 
also has raised fears of our fragile planet's ability to support 
an SUV-lifestyle for billions. Furthermore, the scientific com- 
munity feeds us daily evidence of our climate changing right 
before our eyes. The problems seem so daunting. What can 
we do to fight back and do well by the planet? 

Although hybrid vehicles, wind turbines and ethanol get 


work to save energy, money and the environment. ~ 


the green glory, many people in IT, including in our own 
Linux and Open Source communities, deserve attention for 
their green initiatives. With a global problem to solve that 
requires creativity, transparency and massive collaboration, 
who else would you call but the Linux folks? This article 
explains how Mother Nature’s Mayday calls have inspired our 
community to innovate and do more with fewer resources. 
Whether your motivation is to green the earth or save green- 
backs though improved efficiency, read on to find out more 
about how you can go green, and save green, with Linux. 


JAMES GRAY 
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A typical Linux server gulps about 225 
Watts or more of power, meaning that 
the millions of Linux servers out there, 
now at around a 27% market share, are 
responsible for nearly 5 million tons of 
carbon emissions annually. Furthermore, 
Springboard Research recently reported 
that an average-size server has the 
same carbon footprint as a mid-size 
four-wheel-drive vehicle. In response to 
this and other daunting evidence, the 
color of Linux is purposefully going 
green. The number of green, Linux- 
based initiatives and projects is prolifer- 
ating, and I'd like to share some of 
them with you. In this article, | discuss 
initiatives to save energy related to 
the Linux kernel, distributions and 
applications; virtualization; and excep- 
tionally green Linux-based products 
(such as hardware). 


An initiative is only as good as the 
people and resources behind it. Three 
green-Linux initiatives have formed 
recently: two deep-pocketed ones, 
IBM's Big Green Linux initiative and 
Intel's Lesswatts.org; and a dot-org 
effort, the Linux Foundation’s Green 


ay 
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Linux Initiative. 

In August 2007, IBM launched its 
Big Green Linux initiative, intended to 
help its clients integrate Linux into the 
enterprise “as a way to reduce costs 
and energy consumption by building 
cooler data centers”, says IBM. Big 
Green Linux is a subset of Project Big 
Green, a broader initiative to reduce 
energy consumption in the data center, 
both internally and for its clients. 
Although sparse to date, some of the 
Big Green Linux initiatives have included 
improved data-center ergonomics, 
encouraging server consolidation 
onto System p servers and System z 
mainframes, expanding on Linux 
innovations like the tickless kernel 
and collaboration on power manage- 
ment with the Linux community. 

Intel is another IT titan trying to go 
green at both the processor and appli- 
cation levels. The firm readily admits 
that its green innovations historically 
have been further ahead on the 
hardware side than the software 
side. For instance, Intel first focused 
power management improvements on 
the mobile Centrino processor and is 
now migrating those technologies to 
server platforms. Regrettably, the advan- 
tageous hardware engineering often 


exists but remains unexploited. 

In order to bridge the gulf between 
hardware and software development, 
Intel created Lesswatts.org. The site 
is a nexus of collaboration on projects 
that “drive improvements in power 
consumption that will lead to a cleaner 
environment and allow companies 
to spend less money powering their 
IT infrastructure.” 

Some of the projects included on 
Lesswatts.org are: 


PowerTOP: a Linux-based tool that 
helps find programs that are need- 
lessly consuming extra power when 
a computer is idle, as well as the 

magnitude of overconsumption. 


Power Policy Manager: a layered, 
system-wide power policy framework 
that provides a way for users to 
select multiple power policies to fit 
their systems. 


Processor Power Management: 

a project to leverage the power 
management features of Intel 
processors fully. Lesswatts.org con- 
tains all the features, solutions and 
enhancements related to processor 
power management. One example 
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is the Intel Dynamic Acceleration 
Technology, which allows one proces- 
sor core to deliver extra performance 
while the other core is idle. 


m™ Display and Graphics Power Saving: 
a project that aims to exploit the 
power-saving features of Intel’s 
graphics chipsets without sacrific- 
ing performance. 


Besides those listed above and several 
other projects, Lesswatts.org contains 
numerous power-saving documents, 
whitepapers and tips, such as utilizing 
the Aggressive Link Power Management 
feature on SATA controllers or utilizing 
Gigabit Ethernet only when a system 
needs it. 

Lesswatts.org is directed by Intel's 
Open Source Technology Center, 
the firm's nexus of Linux and open- 
source initiatives. 

Over on the dot-org side of things is 
the Linux Foundation’s (LF) Green Linux 
Initiative. The Linux Foundation is a 
product of the 2007 fusion of Open 
Source Development Labs and the Free 
Standards Group, whose mission is to 
support Linus Torvalds’ and other efforts 
that move Linux forward technologically 
and out in the field. According to 
Amanda McPherson, LF's Director of 
Marketing, LF was inspired to set up a 
Green Linux Workgroup in June 2007, 
at its Collaboration Summit, where 
“concern for the planet [and] power 
management emerged as a top project 
to work on.” LF, says McPherson, is 
pleased with how the tickless kernel, 
PowerTOP and other projects have pro- 
gressed, adding that “developments by 
the community have been very impres- 
sive over the last few years” and that 
enterprises are gradually adopting them 
as the technologies are supported in the 
conservative enterprise distributions. 
“Enterprises are understandably cau- 
tious about upgrading kernel/distribu- 
tion versions and taking advantage of 
new features. As time goes on, these 
features will be used more and more.” 
The Green Group is ramped up or down 
according to project needs and will 
ramp up again this-coming June to 
address potential new issues, such as 
“Energy Star compliance and better 
optimization of device drivers for power 
management.” McPherson also cited 
the importance of Intel and IBM 
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“rallying behind this topic” to move 
it forward. 


Tickless Idle in Linux 

The two most significant recent innova- 
tions in Linux regarding power manage- 
ment are tickless idle and virtualization. 
The various Linux distribution makers 
deserve credit for supporting these 
innovations, integrating them into their 
distributions and pushing forward initia- 
tives like Lesswatts.org. 

The idea behind tickless idle is that 
Linux, starting with kernel 2.6.21 for 
32-bit and 2.6.23 for 64-bit machines, 
keeps track of time in a completely new 
way in order to take advantage of low- 
power states in modern processors. The 
strategy involves keeping the processor 
in its lowest power state for as long as 
possible, interrupting that state only 
when necessary. For instance, on an 
Intel Core 2 Duo processor, the power 
states, or C states, vary between 1.2 
and 35 Watts—a significant difference. 
Before kernel 2.6.21, Linux pulled the 
processor out of the lower C state with 
a timer tick to inform the processor of 
the need to perform housekeeping 
tasks. This tick, occurring every few 
milliseconds, functionally reduced 
the usefulness of the lower-power 
states. Without the tick, Linux now 
chills out and conserves power until 
the next timer event is scheduled to 
occur. Multisecond idle periods now 
are possible. 


The power savings from tickless 
idle can have positive benefits in any 
type of machine—from longer battery 
life on brawny notebooks to signifi- 
cantly lower electricity bills for home 
users and data centers. 

Although Intel, through the 
Lesswatts.org Project, is more public 
about exploiting the tickless kernel and 
publicizing its power management 
tools, representatives at AMD assured 
me that their less-publicized initiatives 
and partnerships in the Linux community 
are just as or more significant than 
Intel's. Margaret Lewis, AMD Director of 
Commercial Solutions and Software 
Strategy, asserted that the tickless- 
kernel features are fully supported on 
both AMD's 32-bit and 64-bit proces- 
sors. Furthermore, Brent Kerby, Product 
Manager for AMD Opteron, noted that 
AMD's PowerNOW!, Cool'n’Quiet and 
CoolCore technologies, including the 
dynamic adjustment of individual pro- 
cessor-core frequencies (and not just in 
pairs), all function well and automatically 
under Linux and contribute greatly to 
power savings. Lewis added, “These 
technologies give you a lot more power 
management control and are cumula- 
tively perhaps more important than the 
tickless kernel.” AMD also emphasized 
its green efforts in other areas, such as 
the Green Grid, a consortium of compa- 
nies working together to address envi- 
ronmental issues holistically throughout 
the data center, addressing hardware, 
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Figure 1. Intel's PowerTOP tool helps sleuth out applications that are consuming extra power 


needlessly. 


software, building design, storage, 
cooling and more. 


Attendant Applications: 
PowerTOP 

Linus Torvalds has stated that work on 
the tickless kernel is mostly done and, 
thus, can take advantage of low-power 
states in processors; however, much 
remains to be done to maximize its 
effect. Although Linux gladly would 
remain dormant, other superfluous, 
busybody processes from various appli- 
cations keep waking it needlessly. To 
solve this problem, Intel's Arjan van de 
Ven created PowerTOP, a tool that finds 
culprits in the kernel and user space 
that are bothering the processor need- 
lessly and reports the energy wasted by 
those activities. PowerTOP also reports 
on the time spent in each power state. 


Virtualization 

Making more efficient use of existing 
computing resources through virtualiza- 
tion, such as consolidating multiple 
virtual servers onto fewer physical 
machines, has been a major trend in 
the Linux space. Little do we realize we 
are saving a great deal of juice in the 
process. Thus, not only does one 
reduce server sprawl and the expense 
of purchasing and maintaining more 
machines, but also electrical power uti- 
lization is improved by approximately 
10-20 Watts per idle virtual machine, 
according to AMD. Additionally, as Jon 
‘maddog’ Hall says, “Utilizing fewer sys- 
tems and sharing the load is goodness.” 

The power savings from virtualiza- 
tion on Linux has been enhanced 
further by the arrival of tickless idle. 
The existence of ticks in each virtual 
machine would otherwise put multiple 
extra loads on the virtualization plat- 
form and greatly reduce efficiency and 
the number of VMs per machine. 

For instance, if you have 30 VMs on 
one machine, with each one creating 
hundreds of ticks per second, a sig- 
nificant load is created before any 
real work is done. 

Beyond virtualization itself, a num- 
ber of vendors are exploring ways to 
manage their virtualization strategies to 
streamline their data-center operations 
and reduce power usage further. One 
example is Cassatt Corporation's Active 
Power Management Technology, which 
has released a platform-agnostic prod- 


uct to turn off servers safely when they 
are not needed or idle. Rather than 
leaving machines automatically running 
round the clock or relying on manual 
decision making, administrators can set 
priorities and policies to mandate how, 
where and when to power down idle 
servers, as well as power them back up. 
The net result is better management of 
both virtual and physical infrastructure. 
Interesting for us Linux-lovers, Active 


Spokesperson, emphasized that his 
firm’s green efforts “extend consider- 
ably beyond consolidation”, including 
“the provision of highly optimized 
paravirt device drivers for fully virtualized 
guests.” This means more and more 
systems will be able to be virtualized, 
broadening the utilization and impact 
of the technology. 

Car also touted Red Hat's collabora- 
tion with chip vendors and Open Source 


A typical Linux server gulps about 225 
Watts or more of power, meaning that 
the millions of Linux servers out there, 
now at around a 27% market share, are 
responsible for nearly 5 million tons of 
carbon emissions annually. 


Power Management is easy to install 
and nondisruptive, as it relies on inter- 
nal power controllers found inside most 
servers rather than on installation of 
software on managed servers. 

Scalent V/OE offers another approach, 
namely dynamic server repurposing. 
V/OE allows administrators to shift 
their data centers between different 
configurations or go from dead bare 
metal to live, running, connected 
servers in just a few minutes and 
without physical intervention. 
Scalent’s Director of Marketing, Alana 
Achterkirchen, pointed out that Pacific 
Gas & Electric (PG&E), California’s 
largest electric utility, offers rebates 
to companies that deploy IT virtual- 
ization projects that result in the 
removal of computing equipment. 
The incentive, says PG&E, “is based 
on the amount of energy saved, pre- 
dicted through a calculation model” 
and ranges from $150-$300 per 
server. Way to go, California! 


What Are the Distributions 
Doing? 
The main distribution providers are core 
contributors to many a green project 
and are integrating them into their 
releases as rapidly as possible. For 
instance, Red Hat, Ubuntu and SUSE 
Linux all committed publicly to 
contribute to and make available the 
innovations from Lesswatts.org. 

Nick Car, Red Hat Chief Technical 


communities to optimize power 
consumption in areas such as: 


® CPUfreg clock scaling in collaboration 
with Intel. Clock scaling allows for 
changing the clock speed of the run- 
ning CPU on the fly, thus reducing 
the power the CPU consumes. 


m AMD’s PowerNow! speed throttling 
and power-saving technology 
(includes CPUfreq work). 


@ Intel's PowerTOP Project and using it 
to identify power-inefficient algo- 
rithms on all server applications, as 
well as to audit the kernel for pollers. 
Car points out that “We have been 
doing this work for the past year, 
and it has accumulated to the point 
where we are seeing meaningful 
power savings.” 


™ Suspend/resume/hibernate work on 
laptops, including features such as 
automatic screen backlight intensity 
reduction as a laptop becomes idle. 


Red Hat also will integrate the new 
tickless kernel in Fedora 9 and subse- 
quently in Red Hat Enterprise Linux. 
“Red Hat has been a key developer of 
this technology”, says Car, “which 
allows the kernel to properly idle itself 
when appropriate.” 

Over in Ubuntu’s camp, Gerry 
Carr, Canonical’s Marketing Manager, 


www.linuxjournal.com april 2008 | 49 


FEATURE Go Green, Save Green with Linux 


stressed that his company “is not directly 
involved in green computing per se, 
but indirectly we are massively 
involved”, adding that “we built an 
enabling technology for green comput- 
ing without it being directly built for this 
purpose.” Regarding virtualization, Carr 
also stressed the “optimization of the 
kernel for paravirt ops, which is a long 
way of saying you can run more VMs 
on less iron using Ubuntu, thus saving 
energy there.” 

Carr also highlighted the presence of 
Ubuntu on low-cost computers, which 
typically utilize less energy, such as 
Intel’s Classmate PC. The Classmate is 
targeted at students in poor coun- 
tries. Similarly, Ubuntu actively 
supports thin-client com- 
puting through partner- 
ship with NComputing 
and other providers. One 
example is the deployment of 
terminal desktops for every child in the 
Republic of Macedonia (180,000 
terminals) on only 20,000 PCs. 

Carr further explained that the 
Xubuntu version of its distribution “is 
built specifically to run on older, less- 
powerful machines and thus extend 
their shelf life significantly”, and that 
it has evidence that “a PC running 
Ubuntu is significantly more power- 
efficient than one running Windows”. 

Finally, Carr notes that “As an 
organisation, we are great believers 
in the multiplier effect, in providing 
the means for others to take action. 
We couldn't try to directly support 
the number of initiatives that happen 
purely by providing a product that is 
free to use and redistribute and that 
we freely maintain.” 

Regarding SUSE Linux, Roger Levy, 


Green 
PCs and 
Other 
Equipment 
Just because a piece of hardware 
is cheap, doesn’t mean it is cheapest in 
the long run. Whether that hardware is 
expensive in environmental terms is 
harder to calculate, but is fortunately 
becoming easier as hardware providers 
seek competitive advantage via green 
credentials and tools to evaluate 
product impact. 

The difference between running 
Linux with its tickless kernel on AMD 
or Intel processors is probably a wash. 
Both companies have strong commit- 
ments to environmental protection and 


Finally, when you’re ready to upgrade, 
Zonbu takes back your old device and 
foots the bill for its recycling. 


Senior Vice President and General 
Manager of Open Platform Solutions 
for Novell, noted that his company 
is focused on “improvements in 
policy-driven power management 
and system monitors for servers, 
along with better suspend functionality 
for laptops”. 


reducing energy consumption. A more 
important choice is whether your hard- 
ware solution is built with an environ- 
mental ethos in mind and offers maxi- 
mum power conservation, avoidance of 
toxins and recycling options. A few 
exceptional, Linux-focused companies 
are worth considering in this regard. 
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Figure 2. 

The new Zonbu 
laptop follows 
in the green 
footsteps of its 
older kin, the 
Zonbu PC. Zonbu 
even will offset 
your carbon 
emissions for you! 


Zonbu PC 
and Laptop 
Zonbu is perhaps the 
hardware provider most 
obsessed with being green 
and sees its environmental 
laurels as core selling points. The 
company offers two interesting and 
green machines, the Zonbu PC and 
the Zonbu Notebook. Both machines are 
pre-installed with Gentoo Linux and 
offer environmental advantages like few 
other PCs do. Zonbu also offers interest- 
ing features, such as on-line storage 
plans and separate versions for newbies 
and experienced users. (See the February 
2008 issue of Linux Journal for a 
detailed review of the Zonbu desktop.) 
Zonbu is attempting to cover all 
the environmental bases, which is 
summed up in its Electronic Product 
Environmental Assessment Tool (EPEAT) 
Gold rating for strong overall environ- 
mental performance. Only 12 desktop 
machines have reached this mark to 
date. The Zonbu sisters deliver significant 
gains in energy efficiency, achieving 
the US EPA Energy Star 4 rating. This 
translates to a power requirement of only 
10-15 Watts, depending on the load. 
Most PCs of similar caliber (without 
monitor) will gulp 60-100 Watts or more, 
depending on numerous factors. Zonbu's 
marketing people tell me that you'll save 
over 1,200 kilowatt hours during the 
course of a year, which seems generous 
given their assumption that a typical PC 
averages 175 Watts. However, even with 
a more-conservative savings estimate of 


600 kilowatt hours per year, you'll 
probably save more than $60 on electricity 
during the course of a year, based on 
a cost of $0.10 per kilowatt hour. 

A unique Zonbu bonus involves auto- 
matic purchases of carbon offsets from 
the firm Climate Trust, which invests in 
projects that reduce net carbon emis- 
sions society-wide, such as wind energy 
or tree planting. In addition, Zonbu 
builds its hardware with recycling in 
mind and follows the European RoHS 
Directive, such that no more than 25% 
of the hazardous substances (such as 
lead, mercury and cadmium) that go 
into typical desktops are used. Finally, 
when you're ready to upgrade, Zonbu 
takes back your old device and foots 
the bill for its recycling. Zonbu says it 
is “determined that no Zonbu device 
contributes to the problem” of e-waste. 


Save a Ton(ne) with Koolu 
Not much different philosophically from 
Zonbu is Koolu, a Canadian firm that 
aims to save a tonne (Canadian for ton) 
of carbon emissions with its thin clients 
and Net appliances. With Jon ‘maddog’ 
Hall as Koolu’s CTO and Ambassador, you 
are sure that the concept is robust and 
open source. The products run Ubuntu. 
Koolu’s (and many other firms’) thin 
clients, says Hall, require only 10 Watts or 
less and “allow better sharing of CPU 
power, memory, disk and even people 
power”. Meanwhile, Koolu claims that 
the fanless Net appliances will save you 
up to 90% on electricity costs and 50% 
on PC capital costs. Furthermore, like the 
Zonbu twins, Koolu’s products are RoHS- 
compliant. Unfortunately, Koolu does not 
currently offer a recycling program, nor 
does it purchase carbon offsets. 


Other Ways to Make a 
Difference 

Besides the above information, there are 
many other ways to compute that are 
gentler on the environment. Here are a 
few suggestions: 


m Avoid e-waste by avoiding Windows 
Vista—a 2007 study by Softchoice 
Corporation and amplified by 
Greenpeace stated that “50% of all 
PCs are below Windows Vista's basic 
system requirements” and “94% are 
not ready for Windows Vista Premium 
edition”. A similar study by the British 
government found that Linux users 


need to upgrade their hardware only 
half as often as Windows users. 


technologies and initiatives related to 
green computing is a cause for hope and 
optimism. Many barriers, such as data- 
center complexity, lack of information and 
societal apathy, must yet be overcome, 
but the Linux community and many IT 
firms have laid a laudable foundation from 
which to build. The initiatives outlined in 
this article—IBM's Big Green Linux, Intel’s 
Lesswatts.org, Linus’ tickless kernel, virtu- 
alization, Zonbu and Koolu PCs, Energy 
Star, EPEAT and more—are excellent tools 
that can help you to do well while you do 
good. Linux Journal encourages you 
to keep Mother Nature in mind as you 
green up your data center or PC, but if 
you do your homework, going green 
likely will not be a burden to bear but 
a substantial long-term competitive 
cost advantage as well.m 


® Investigate the environmental foot- 
print of your next equipment purchase 
with Electronic Product Environmental 
Assessment Tool (EPEAT). 


™ Look for the Energy Star logo, 
with its tough new requirements, 
for energy efficiency and power 
management capabilities. 


™ Recycle your old CRT monitor— 
according to ViewSonic, a 19" LCD 
monitor sips only 40 Watts compared 
to 100 Watts for a comparable CRT 
monitor. The company estimates 
you'll save around $20 annually 
in electricity costs. 


Do It with Linux 

Although most news about the environ- 
ment and energy consumption is alarm- 
ing, the plethora of new Linux-focused 


Resources 


IBM's Big Green Linux Initiative: www-03.ibm.com/press/us/en/pressrelease/22006.wss 


James Gray is Linux Journal Products Editor and a graduate 
student in environmental science and management at Michigan 
State University. A Linux enthusiast since the mid-1990s, he 
currently resides in Lansing, Michigan, with his wife and cats. 


Intel's Lesswatts.org: www.lesswatts.org 
The Linux Foundation’s Green Linux Initiative: www.linux-foundation.org/en/Green_Linux 
Cassatt Corporation: www.cassatt.com 


Pacific Gas & Electric Rebates for Virtualization Projects: 
www.pge.com/biz/rebates/hightech/htee_incentives.html 


Red Hat: www.redhat.com 

Ubuntu: www.ubuntu.com 

Intel’s Classmate PC: www.classmatepc.com 

Macedonia Computer Project: www.ubuntu.com/news/macedonia-school-computers 
Xubuntu: www.xubuntu.org 

Zonbu: www.zonbu.com 

US EPA Energy Star Program: www.energystar.gov 

Climate Trust: www.climatetrust.org 

Koolu: www.koolu.com 


Electronic Product Environmental Assessment Tool (EPEAT): www.epeat.net 
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Cfengine makes it easier to manage configuration 
files across large numbers of machines. 


Scott Lackey 


Cfengine is known by many system administrators to be an 
excellent tool to automate manual tasks on UNIX and Linux- 
based machines. It also is the most comprehensive framework 
to execute administrative shell scripts across many servers 
running disparate operating systems. Although cfengine is 
certainly good for these purposes, it also is widely considered 
the best open-source tool available for configuration manage- 
ment. Using cfengine, sysadmins with a large installation of, 


say, 800 machines, can have information about their environ- 
ment quickly that otherwise would take months to gather, as 
well as the ability to change the environment in an instant. 
For an initial example, if you have a set of Linux machines 
that need to have a different /etc/nsswitch.conf, and then 
have some processes restarted, there's no need to connect to 
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each machine and perform these steps or even to write a 
script and run it on the machines once they are identified. You 
simply can tell cfengine that all the Linux machines running 
Fedora/Debian/CentOS with XGB of RAM or more need to use 
a particular /etc/nsswitch.conf until a newer one is designated. 
Cfengine can do all that in a one-line statement. 

Cfengine's configuration management capabilities can 
work in several different ways. In this article, | focus on a 
make-it-so-and-keep-it-so approach. Let's consider a small 
hosting company configuration, with three administrators and 
two data centers (Figure 1). 

Each administrator can use a Subversion/CVS sandbox to 
hold repositories for each data center. The cfengine client will 
run on each client machine, either through a cron job or a 


Figure 1. How the Few Control the Many 


cfengine execution daemon, and pull the cfengine configura- 
tion files appropriate for each machine from the server. If there 
is work to be done for that particular machine, it will be car- 
ried out and reported to the server. If there are configuration 
files to copy, the ones active on the client host will be replaced 
by the copies on the cfengine server. (Cfengine will not replace 
a file if the copy process is partial or incomplete.) 

A cfengine implementation has three major components: 


® Version control: this usually consists of a versioning system, 
such as CVS or Subversion. 


& Cfengine internal components: cfservd, cfagent, cfexecd, 
cfenvd, cfagent.conf and update.conf. 


™ Cfengine commands: processes, files, shellcommands, 
groups, editfiles, copy and so forth. 


The cfservd is the master daemon, configured with 
/etc/cfservd.conf, and it listens on port 5803 for connections to 
the cfengine server. This daemon controls security and directory 
access for all client machines connecting to it. cfagent is the 
client program for running cfengine on hosts. It will run either 
from cron, manually or from the execution daemon for cfengine, 
cfexecd. A common method for running the cfagent is to exe- 
cute it from cron using the cfexecd in non-daemon mode. The 
primary reason for using both is to engage cfengine’s logging 
system. This is accomplished using the following: 


*/10 * * * * /var/cfengine/sbin/cfexecd -F 
as a cron entry on Linux (unless Solaris starts to understand 


*/10). Note that this is fairly frequent and good only for a low 
number of servers. We don’t want 800 servers updating within 


the same ten minutes. 

The cfenvd is the “environment daemon” that runs on the 
client side of the cfengine implementation. It gathers informa- 
tion about the host machine, such as hostname, OS and IP 
address. The cfenvd detects these factors about a host and 
uses them to determine to which groups the machine belongs. 
This, in effect, creates a profile for each machine that cfengine 
uses to determine what work to perform on each host. 

The master configuration file for each host is cfagent.conf. 
This file can contain all the configuration information and 
cfengine code for the host, a subset of hosts or all hosts in the 
cfengine network. This file is often just a starting point where 
all configurations are stored in other files and “imported” into 
cfagent.conf, in a very similar fashion to Nagios configuration 
files. The update.conf file is the fundamental configuration file 
for the client. It primarily just identifies the cfengine server and 
gets a copy of the cfagent.conf. 


client machines 


Y as band hy 


chagent cont 


a | on » 


cfengine server fae to owe 
guter) 


Figure 2. Automated Distribution of Cfengine Files 


The update.conf file tells the cfengine server to deploy a 
new cfagent.conf file (and perhaps other files as well) if the 
current copy on the host machine is different. This adds some 
protection for a scenario where a corrupt cfagent.conf is 
sent out or in case there never was one. Although you could 
use cfengine to distribute update.conf, it should be copied 
manually to each host. 

Cfengine “commands” are not entered on the command 
line. They make up the syntax of the cfengine configuration 
language. Because cfengine is a framework, the system 
administrator must write the necessary commands in cfengine 
configuration files in order to move and manipulate data. As 
an example, let’s take a look at the files command as it would 
appear in the cfagent.conf file: 


files: 
/etc/passwd mode=644 
owner=root action=fixall 
/etc/shadow mode=600 
owner=root action=fixall 
This would set all machines’ /etc/passwd and /etc/shadow 
files to the permissions listed in the file (644 and 600). It 
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also would change the owner of the file to root and fix all 
of these settings if they are found to be different, each 
time cfengine runs. It's important to keep in mind that 
there are no group limitations to this particular files com- 
mand. If cfengine does not have a group listed for the 
command, it assumes you mean any host. This also could 
be written as: 


files: 
any:: 
/etc/passwd mode=644 
Owner=root action=fixall 
/etc/shadow mode=600 
owner=root action=fixall 


This brings us to an important topic in building a cfengine 
implementation: groups. There is a groups command that can 
be used to assign hosts to groups based on various criteria. 
Custom groups that are created in this way are called soft 
groups. The groups that are filled by the cfenvd daemon 
automatically are referred to as hard groups. To use the groups 
feature of cfengine and assign some soft groups, simply create 
a groups.cf file, and tell the cfagent.conf to import it somewhere 
in the beginning of the file: 


import: 
any:: 
groups.cf 


Cfengine will look in the default directory for the groups.cf 
file in /var/cfengine/inputs. Now you can create arbitrary 
groups based on any criteria. It is important to remember that 
the terms groups and classes are completely interchangeable 
in cfengine: 


groups: 
development = ( nfs@1 nfs@2 10.0.0.17 ) 
production = ( appO1 app02 !development ) 


You also can combine hard groups that have been discovered 
by cfenvd with soft groups: 


groups: 
legacy = ( irix compiled_on_cygwin sco ) 


Let's get our testing setup in order. First, install cfengine on 
a server and a client or workstation. Cfengine has been com- 
piled on almost everything, so there should be a package for 
your OS/distribution. Because the source is usually the latest 
version, and many versions are bug fixes, | recommend compil- 
ing it yourself. Installing cfengine gives you both the server 
and client binaries and utilities on every machine, so be careful 
not to run the server daemon (cfservd) on a client machine 
unless you specifically intend to do that. After the install, 
you should have a /var/cfengine/ directory and the binaries 
mentioned previously. 

Before any host can actually communicate with the 
cfengine server, keys must be exchanged between the two. 
Cfengine keys are similar to SSH keys, except they are one- 
way. That is to say, both the server and the client must have 
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each other's public key in order to communicate. Years of 
sysadmin paranoia cause me to recommend manually copy- 
ing all keys and trusting nothing. Copy /var/cfengine/ppkeys/ 
localhost.pub from the server to all the clients and from 
the clients to the server in the same directory, renaming 
them /var/cfengine/ppkeys/root-10.11.0.1.pub, where the 
IP is 10.11.0.1. 

On the server side, cfservd.conf must be configured to 
allow clients to access particular directories. To do this, create 
an AllowConnectionsFrom and an admit section: 


#cfservd.conf 


control: 
AllowConnectionsFrom = ( 192.168.0.0/24 ) 
admit: 
/configs/datacenterl *.examplel.com 
/configs/datacenter2 *.example2.com 


To test your example client to see whether it is connecting 
to the cfengine server, make sure port 5803 is clear between 
them, and run the server with: 


cfservd -v -d2 
And, on the client run: 
cfagent -v --no-splay 


This will give you a lot of debugging information on the 
server side to see what's working and what isn’t. 

Now, let's take a look at distributing a configuration file. 
Although cfengine has a full-featured file editor in the editfiles 
command, using this method for distributing configurations 
is not advised. The copy command will move a file from 
the server to the client machine with .cfnew appended to 
the filename. Then, once the file has been copied completely, 
it renames the file and saves the old copy as .cfsaved in the 
specified directory. Here's the copy command syntax: 


copy: 
class? 
<<master-file>> 


dest=target-file 
server=server 
mode=mode 

owner=owner 
group=group 
backup=true/false 
repository=backup dir 
recurse=number/inf/0 
define=classlist 


Only the dest= is required, along with the filename to 
save at the destination. These can be different. Here's 
another example: 


copy: 
Linux: 


${copydir}/linux/resolv. conf 


dest=/etc/resolv.conf 
server=cfengine.examplel.com 
mode=644 

owner=root 

group=root 

backup=true 
repository=/var/cfengine/cfbackup 
recurse=0 
define=copiedresolvdotconf 


The last line in this copy statement assigns this host to a 
group called copiedresolvdotconf. Although we don’t have 
to do anything after copying this particular file, we may 
want to do some action on all hosts that just had this file 
successfully sent to them, such as sending an e-mail or 
restarting a process. As another example, if you update a 
configuration file that is attached to a damon, you may 
want to send a SIGHUP to the process to cause it to reread 
the configuration file. This is common with Apache's 
httpd.conf or inetd.conf. If the copy is not successful, this 
server won't be added to the copiedresolvdotconf class. 
You can query all servers in the network to see whether 
they are members and, if not, find out what went wrong. 

A great way to version control your config files is to use a 


cfengine variable for the filename being copied to control 
which version gets distributed. Such a line may look something 
like this: 


copy: 
Linux's 2 
${copydir}/lLinux/${resolv_conf} 


Or, better yet, you can use cfengine’s class-specific vari- 
ables, whose scope is limited to the class with which they are 
associated. This makes copy statements much more elegant 
and can simplify changes as your cfengine files scale: 


control: 


# ${resolve_conf} value depends on context, 
# is this a linux machine or hpux? 
linux:: resolve_conf = ( "${copydir}"/linux/resolv.conf ) 
hpux:: resolve_conf = ( "${copydir}"/hpux/resolv.conf ) 
copy: 
Linux:: 


${resolve_conf} 


Here is a full cfagent.conf file that makes use of everything 
I've covered thus far. It also adds some practical examples of 
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how to do sysadmin work with cfengine: 
# cfagent.conf 


control: 
actionsequence = ( files editfiles processes ) 
AddInstallable = ( cron_restart ) 
solaris:: crontab = ( /var/spool/cron/crontabs/root ) 
linux:: crontab = ( /var/spool/cron/root ) 


files: 
solaris:: 
${crontab} 
action=touch 
Linux:: 
${crontab} 
action=touch 


editfiles: 
solaris:: 
{ ${crontab} 
AppendIfNoSuchLine "0,10,20,30,40,50 * * * * 
w»/var/cfengine/sbin/cfexecd -F" 
DefineClasses "cron_restart" 
} 
Linux: : 
{ ${crontab} 
AppendIfNoSuchLine "0,10,20,30,40,50 * * * * 
w/var/cfengine/sbin/cfexecd -F" 
#1linux doesn't need a cron restart. 


} 


shellcommands: 
solaris.cron_restart:: 
"Jetc/init.d/cron stop" 
"/etc/intt,d/cron start” 


emis Java JNI and Linux 


Do you have code for Linux written in Assembler, C, C++, 
FreePascal or any other native-compiled language that 
surfaces a Java JNI interface? 

Have you had problems with crashes from time to time? It 
could be that your native code is improperly, from Java's point 
of view anyway, using signals. Even if your code is not explicitly 
using signals, the Run-Time Library (RTL) linked into your Java 
JNI Shared Object may be using signals “for” you. 

The answer to your problems may lie in a Shared Object 
named libjsig.so that comes with later versions of Java. 
Basically, libjsig.so makes it easy to implement something 
called signal chaining that allows the Java JVM, and your 
Java JNI native code that uses signals, to interact with one 
another properly. 

There are a couple ways to use libjsig.so, but one quick 
way to find out whether libjsig.so will benefit you is to use 
the wonderful Linux LD_PRELOAD capability discussed in the 
November 2004 issue of Linux Journal in the article “Modifying 
a Dynamic Library without Changing the Source Code” by 
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import: 
any:: 
groups.cf 
copy.cf 


The above is a full cfagent configuration that adds 
cfengine execution from cron to each client (if it’s Linux 
or Solaris). So effectively, once you run cfengine manually 
for the first time with this cfagent.conf file, cfengine will 
continue to run every five minutes from that host, but you 
won't need to edit or restart cron. The control section of 
the cfagent.conf is where you can define some variables 
that will control how cfengine handles the configuration 
file. actionsequence tells cfengine what order to execute 
each command, and AddInstallable is a variable that 
holds soft groups that get defined later in the file in a 
“define” statement, such as after the editfiles command 
where the line is DefineClasses "cron_restart". The 
reason for using Addinstallable is sometimes cfengine skips 
over groups that are defined after command execution, and 
defining that group in the control section ensures that the 
command will be recognized throughout the configuration. 

Being able to check configuration files out from a versioning 
system and distribute them to a set of servers is a powerful system 
administration tool. A number of independent tools will do a 
subset of cfengine’s work (such as rsync, ssh and make), but 
nothing else allows a small group of system administrators to 
manage such a large group of servers. Centralizing configuration 
management has the dual benefit of information and control, 
and cfengine provides these benefits in a free, open-source tool 
for your infrastructure and application environments. 


Scott Lackey is an independent technology consultant who has developed and deployed 
configuration management solutions across industry from NASA to Wall Street. Contact him 
at slackey@violetconsulting.net, www.violetconsulting.net. 


Greg Kroah-Hartman (www.linuxjournal.com/article/7795). 
To give it a go, in a bash shell, use the following technique 

to execute your Java application: 

export LD _PRELOAD=/path/to/libjsig.so; java YOUR_JAVA CLASS 


For more information on libjsig.so try: 


@ Signal Chaining: java.sun.com/javase/6/docs/technotes/ 
guides/vm/signal-chaining.html 


@ Revelations on Java signal handling and termination: 
www.ibm.com/developerworks/java/library/ 
i-signalhandling/ 


@ Signal Handling on Solaris OS and Linux: java.sun.com/ 
javase/6/webnotes/trouble/TSG-VM/html/gbzbl.html 


—PAUL WHITTINGTON 


Continuous Data Protection 
The Future of Data Centers 


Can your backup 
software do this? 
Daily Backups 
Hourly Backups 
Open File Backups 
Bare-Metal Restore 
Continuous Data Protection 
Restore Linux LVM 
Restore Linux Software RAID 
Easy To Use Web Interface 
Manage Thousands of Servers 


Control Panel Integration 


R1Soft 
CDP Server 


Acronis® 
True Image 


EMC 
Retrospect ° 
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$699 /server 


You Can't Afford It 


(NEW) - CDP for MySQL add-on Now available | True-Granular Restore™ | Store over 50 recovery points per-day 


Bare-Metal Restore for MySQL Servers | Restore tables or databases to original or alternate locations and more.. 


Data Centers serious about uptime and performance use R1Soft. 
For more information visit: www.r1soft.com or call us at 800-956-6198 


tPrice includes $600 Data Protection Server cost. Assumes minimum ratio of 25 protected servers per Data Protection Server 


LINUX & WINDOWS 


Copyright 2007 Righteous Software Inc All Rights Reserved. 


R1Soft is a trademark of Righteous Software Inc. Other names may be trademarks of their respective owners. 


Flexible Network Booting 
with Menus 


Set up a PXE server and then add menus to boot kickstart 
images, rescue disks and diagnostic tools all from the network. 


KYLE RANKIN 


It’s funny how automation evolves as system administrators 
manage larger numbers of servers. When you manage only a 
few servers, it's fine to pop in an install CD and set options 
manually. As the number of servers grows, you might realize 
it makes sense to set up a kickstart or FAI (Debian’s Fully 
Automated Installer) environment to automate all that 
manual configuration at install time. Now, you boot the 
install CD, type in a few boot arguments to point the 
machine to the kickstart server, and go get a cup of coffee 
as the machine installs. 

When the day comes that you have to install three or four 
machines at once, you either can burn extra CDs or investi- 
gate PXE boot. The Preboot execution Environment is an open 
standard developed by Intel to allow machines to boot over a 
network instead of from local media, such as a floppy, CD or 
hard drive. Modern servers and newer laptops and desktops 
with integrated NICs should support PXE booting in the 
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BlOS—in some cases, it's enabled by default, and in other 
cases, you need to go into your BIOS settings to enable it. 
Because many modern servers these days offer built-in 
remote power and remote terminals or otherwise are remotely 
accessible via serial console servers or networked KVM, if you 
have a PXE boot environment set up, you can power on 
remotely, then boot and install a machine from miles away. 

If you have never set up a PXE boot server before, the first 
part of this article covers the steps to get your first PXE server 
up and running. If PXE booting is old hat to you, skip ahead to 
the section called PXE Menu Magic. There, | cover how to con- 
figure boot menus when you PXE boot, so instead of hunting 
down MAC addresses and doing a lot of setup before an install, 
you simply can boot, select your OS, and you are off and run- 
ning. After that, | discuss how to integrate rescue tools, such as 
Knoppix and memtest86+, into your PXE environment, so they 
are available to any machine that can boot from the network. 


PXE Setup 

You need three main pieces of infrastructure for a PXE setup: a 
DHCP server, a TFTP server and the syslinux software. Both 
DHCP and TFTP can reside on the same server. When a system 
attempts to boot from the network, the DHCP server gives it 
an IP address and then tells it the address for the TFTP server 
and the name of the bootstrap program to run. The TFTP 
server then serves that file, which in our case is a PXE-enabled 
syslinux binary. That program runs on the booted machine 
and then can load Linux kernels or other OS files that also are 
shared on the TFTP server over the network. Once the kernel is 
loaded, the OS starts as normal, and if you have configured a 
kickstart install correctly, the install begins. 


Configure DHCP 

Any relatively new DHCP server will support PXE booting, so 
if you don’t already have a DHCP server set up, just use your 
distribution’s DHCP server package (possibly named dhcpd, 
dhcp3-server or something similar). Configuring DHCP to suit 
your network is somewhat beyond the scope of this article, 
but many distributions ship a default configuration file that 
should provide a good place to start. Once the DHCP server is 
installed, edit the configuration file (often in /etc/dhcpd.conf), 
and locate the subnet section (or each host section if you 
configured static IP assignment via DHCP and want these 
hosts to PXE boot), and add two lines: 


next-server ip_of_pxe_server; 
filename "pxelinux.0"; 


The next-server directive tells the host the IP address of 
the TFTP server, and the filename directive tells it which file to 
download and execute from that server. Change the next- 
server argument to match the IP address of your TFTP server, 
and keep filename set to pxelinux.0, as that is the name of the 
syslinux PXE-enabled executable. 

In the subnet section, you also need to add dynamic-bootp 
to the range directive. Here is an example subnet section after 
the changes: 


subnet 10.0.0.0 netmask 255.255.255.0 { 
range dynamic-bootp 10.0.0.200 10.0.0.220; 
next-server 10.0.0.1; 
filename "pxelinux.0"; 


} 


Install TFTP 
After the DHCP server is configured and running, you are 
ready to install TFTP. The pxelinux executable requires a TFTP 
server that supports the tsize option, and two good choices 
are either tftpd-hpa or atftp. In many distributions, these 
options already are packaged under these names, so just 
install your distripution’s package or otherwise follow the 
installation instructions from the project's official site. 
Depending on your TFTP package, you might need to add 
an entry to /etc/inetd.conf if it wasn’t already added for you: 


tftp dgram udp wait root 
/usr/sbin/in.tftpd -s /var/lib/tftpboot 


/usr/sbin/in.tftpd 


As you can see in this example, the -s option (used for 
tftpd-hpa) specified /var/lib/tftpboot as the directory to contain 
my files, but on some systems, these files are commonly stored 
in /tftpboot, so see your /etc/inetd.conf file and your tftpd 
man page and check on its conventions if you are unsure. 
If your distribution uses xinetd and doesn’t create a file in 
/etc/xinetd.d for you, create a file called /etc/xinetd.d/tftp that 
contains the following: 


default: off 

description: The tftp server serves files using 

the trivial file transfer protocol. 

The tftp protocol is often used to boot diskless 
workstations, download configuration files to network-aware 
printers, and to start the installation process for 


+ He # HH HH HK 


some operating systems. 
service tftp 


{ 


disable = no 


socket_type = dgram 

protocol = udp 

wait = yes 

user = root 

server = /usr/sbin/in.tftpd 
server_args = -s /var/lib/tftpboot 
per_source = 11 

cps = 100 2 

flags = I1Pv4 


As tftpd is part of inetd or xinetd, you will not need to 
start any service. At most, you might need to reload inetd or 
xinetd; however, make sure that any software firewall you 
have running allows the TFTP port (port 69 udp) as input. 


Add Syslinux 

Now that TFTP is set up, all that is left to do is to install 
the syslinux package (available for most distributions, or 
you can follow the installation instructions from the pro- 
ject’s main Web page), copy the supplied pxelinux.0 file 

to /var/lib/tftpboot (or your TFTP directory), and then create 
a /var/lib/tftpboot/pxelinux.cfg directory to hold pxelinux 
configuration files. 


PXE Menu Magic 
You can configure pxelinux with or without menus, and many 
administrators use pxelinux without them. There are com- 
pelling reasons to use pxelinux menus, which | discuss below, 
but first, here's how some pxelinux setups are configured. 
When many people configure pxelinux, they create 
configuration files for a machine or class of machines based 
on the fact that when pxelinux loads it searches the pxelinux.cfg 
directory on the TFTP server for configuration files in the 
following order: 


™ Files named 01-MACADDRESS with hyphens in between 
each hex pair. So, for a server with a MAC address of 
88:99:AA:BB:CC:DD, a configuration file that would target 
only that machine would be named 01-88-99-aa-bb-cc-dd 
(and I've noticed it does matter that it is lowercase). 
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®@ Files named after the host's IP address in hex. Here, pxelinux 
will drop a digit from the end of the hex IP and try again as 
each file search fails. This is often used when an administra- 

or buys a lot of the same brand of machine, which often 

will have very similar MAC addresses. The administrator 

hen can configure DHCP to assign a certain IP range to 

hose MAC addresses. Then, a boot option can be applied 

o all of that group. 


@ Finally, if no specific files can be found, pxelinux will look 
or a file named default and use it. 


One nice feature of pxelinux is that it uses the same 
syntax as syslinux, so porting over a configuration from a 
CD, for instance, can start with the syslinux options and 
follow with your custom network options. Here is an 
example configuration for an old CentOS 3.6 kickstart: 


default linux 

label linux 
kernel vmlinuz-centos-3.6 
append text nofb load_ramdisk=1 initrd=initrd-centos-3.6.img 
“>network ks=http://10.0.0.1/kickstart/centos3.cfg 


Why Use Menus? 

The standard sort of pxelinux setup works fine, and many 
administrators use it, but one of the annoying aspects of it 
is that even if you know you want to install, say, CentOS 
3.6 on a server, you first have to get the MAC address. So, 
you either go to the machine and find a sticker that lists 
the MAC address, boot the machine into the BIOS to read 
the MAC, or let it get a lease on the network. Then, you 
need to create either a custom configuration file for that 
host's MAC or make sure its MAC is part of a group you 


With pxelinux menus, I can 
preconfigure any of the different 
network boot scenarios I need 
and assign a number to them. 


already have configured. Depending on your infrastructure, 
this step can add substantial time to each server. Even if 
you buy servers in batches and group in IP ranges, what 
happens if you want to install a different OS on one of the 
servers? You then have to go through the additional work 
of tracking down the MAC to set up an exclusion. 

With pxelinux menus, | can preconfigure any of the differ- 
ent network boot scenarios | need and assign a number to 
them. Then, when a machine boots, | get an ASCII menu | can 
customize that lists all of these options and their number. 
Then, | can select the option | want, press Enter, and the install 
is off and running. Beyond that, now | have the option of 
adding non-kickstart images and can make them available to 
all of my servers, not just certain groups. With this feature, 
you can make rescue tools like Knoppix and memtest86+ 
available to any machine on the network that can PXE boot. 
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You even can set a timeout, like with boot CDs, that will select 
a default option. | use this to select my standard Knoppix 
rescue mode after 30 seconds. 


Configure PXE Menus 

Because pxelinux shares the syntax of syslinux, if you have 
any CDs that have fancy syslinux menus, you can refer to 
them for examples. Because you want to make this avail- 
able to all hosts, move any more specific configuration 
files out of pxelinux.cfg, and create a file named default. 
When the pxelinux program fails to find any more specific 
files, it then will load this configuration. Here is a sample 
menu configuration with two options: the first boots 
Knoppix over the network, and the second boots a CentOS 
4.5 kickstart: 


default 1 
timeout 300 
prompt 1 
display fl.msg 
Fl fl.msg 

F2 f2.msg 


label 1 
kernel vmlinuz-knx5.1.1 
append secure nfsdir=10.0.0.1:/mnt/knoppix/5.1.1 
“nodhcp Lang=us ramdisk_size=100000 init=/etc/init 
>2 apm=power-off nomce vga=normal 
>i nitrd=miniroot-knx5.1.1.gz quiet BOOT_IMAGE=knoppix 
label 2 
kernel vmlinuz-centos-4.5-64 
append text nofb ksdevice=ethO load_ramdisk=1 
= initrd=initrd-centos-4.5-64.img network 
wks=http://10.0.0.1/kickstart/centos4-64.cfg 


Each of these options is documented in the syslinux 
man page, but | highlight a few here. The default option 
sets which label to boot when the timeout expires. The 
timeout is in tenths of a second, so in this example, 
the timeout is 30 seconds, after which it will boot using 
the options set under label 1. The display option lists a 
message if there are any to display by default, so if you 
want to display a fancy menu for these two options, you 
could create a file called f1.msg in /var/lib/tftpboot/ that 
contains something like: 


=== | Boot Options. [=-+s=> 


| 
1. Knoppix 5.1.1 | 
2. CentOS 4.5 64 bit | 

| 


<F1l> Main | <F2> Help 
Default image will boot in 30 seconds... 


Notice that | listed F1 and F2 in the menu. You can create 
multiple files that will be output to the screen when the user 
presses the function keys. This can be useful if you have more 
menu options than can fit on a single screen, or if you want 
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to provide extra documentation at boot time (this is handy 
if you are like me and create custom boot arguments for 
your kickstart servers). In this example, | could create a 
/var/lib/tftpboot/f2.msg file and add a short help file. 

Although this menu is rather basic, check out the syslinux 
configuration file and project page for examples of how to 
jazz it up with color and even custom graphics. 


Extra Features: PXE Rescue Disk 

One of my favorite features of a PXE server is the addition 
of a Knoppix rescue disk. Now, whenever | need to recover a 
machine, | don’t need to hunt around for a disk, | can just 
boot the server off the network. 

First, get a Knoppix disk. | use a Knoppix 5.1.1 CD for this 
example, but I've been successful with much older Knoppix 
CDs. Mount the CD-ROM, and then go to the boot/isolinux 
directory on the CD. Copy the miniroot.gz and vmlinuz files to 
your /var/lib/tftpboot directory, except rename them something 
distinct, such as miniroot-knx5.1.1.gz and vmlinuz-knx5.1.1, 
respectively. Now, edit your pxelinux.cfg/default file, and add 
lines like the one | used above in my example: 


label 1 
kernel vmlinuz-knx5.1.1 
append secure nfsdir=10.0.0.1:/mnt/knoppix/5.1.1 nodhcp 
lang=us ramdisk_size=100000 init=/etc/init 2 
‘> apm=power-off nomce vga=normal 
> initrd=miniroot-knx5.1.1.gz quiet BOOT_IMAGE=knoppix 


Notice here that | labeled it 1, so if you already have a 
label with that name, you need to decide which of the two 
to rename. Also notice that this example references the 
renamed vmlinuz-knx5.1.1 and miniroot-knx5.1.1.gz files. 
If you named your files something else, be sure to change 
the names here as well. Because | am mostly dealing with 
servers, | added 2 after init=/etc/init on the append line, so 
it would boot into runlevel 2 (console-only mode). If you 
want to boot to a full graphical environment, remove 2 
from the append line. 

The final step might be the largest for you if you don’t 
have an NFS server set up. For Knoppix to boot over the 
network, you have to have its CD contents shared on an 
NFS server. NFS server configuration is beyond the scope of 
this article, but in my example, | set up an NFS share on 
10.0.0.1 at /mnt/knoppix/5.1.1. | then mounted my 


One of my favorite features of 
a PXE server ts the addition 
of a Knoppix rescue disk. 


Knoppix CD and copied the full contents to that directory. 
Alternatively, you could mount a Knoppix CD or ISO directly 
to that directory. When the Knoppix kernel boots, it will 
then mount that NFS share and access the rest of the files 
it needs directly over the network. 
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Extra Features: Memtest86+ 

Another nice addition to a PXE environment is the memtest86+ 
program. This program does a thorough scan of a system's 
RAM and reports any errors. These days, some distributions 
even install it by default and make it available during the boot 
process because it is so useful. Compared to Knoppix, it is very 
simple to add memtest86+ to your PXE server, because it runs 
from a single bootable file. First, install your distribution’s 
memtest86+ package (most make it available), or otherwise 
download it from the memtest86+ site. Then, copy the 
program binary to /var/lib/tftpboot/memtest. Finally, add 

a new label to your pxelinux.cfg/default file: 


label 3 
kernel memtest 


That’s it. When you type 3 at the boot prompt, the 
memtest86+ program loads over the network and starts 
the scan. 


Conclusion 

There are a number of extra features beyond the ones 

| give here. For instance, a number of DOS boot floppy 
images, such as Peter Nordahl’s NT Password and Registry 
Editor Boot Disk, can be added to a PXE environment. My 
own use of the pxelinux menu helps me streamline server 
kickstarts and makes it simple to kickstart many servers all 
at the same time. At boot time, | can not only indicate 
which OS to load, but also more specific options, such as 
the type of server (Web, database and so forth) to install, 
what hostname to use, and other very specific tweaks. 
Besides the benefit of no longer tracking down MAC 
addresses, you also can create a nice colorful user-friendly 
boot menu that can be documented, so it’s simpler for 
new administrators to pick up. Finally, I’ve been able to 
customize Knoppix disks so that they do very specific 
things at boot, such as perform load tests or even set up 
a Webcam server—all from the network.— 


Kyle Rankin is a Senior Systems Administrator in the San Francisco Bay Area and the author of a 
number of books, including Knoppix Hacks and Ubuntu Hacks for O'Reilly Media. He is currently 
the president of the North Bay Linux Users’ Group. 
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tftp-hpa: www.kernel.org/pub/software/network/tftp 
atftp: ftp.mamalinux.com/pub/atftp 

Syslinux PXE Page: syslinux.zytor.com/pxe.php 

Red Hat's Kickstart Guide: www.redhat.com/docs/ 
manuals/enterprise/RHEL-4-Manual/sysadmin-guide/ 
ch-kickstart2.html 


Knoppix: www.knoppix.org 


Memtest86+: www.memtest.org 
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WebonniuImnht 


hen you start administering a Linux system, 
one of the biggest challenges is learning exactly 
what to do, and how to do it. There simply are 
too many tools, settings, parameters, configu- 
ration files, daemons and what have you to 
consider. Obviously, if you ever want to become a full-fledged 
sysadmin on your own, you have to learn everything. But, until 
you get to that point, you still need to get things done, and you 
would do well by installing and using Webmin, a Web-based, 
comprehensive administration tool for Linux systems. 

Webmin runs on your server and presents a Web-based 
interface, allowing you to do all sorts of system administration 
tasks—from the very simple to the very complex ones—with- 
out ever touching a configuration file or restarting any process 
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or demon on your own. As an aside, it isn’t just any run-of- 

the-mill tool. If you mention Webmin at a Linux Users Group 
reunion, it's guaranteed to raise a lively argument—much 

akin to the “using closed graphics drivers” or “banning all 
non-open-source software from distributions” discussions 

on forums and chat channels. 

For some people, the idea of using anything but the com- 
mand line to manage a server is barely short of heretical, and 
they believe you should not even consider using Linux if you 
plan on employing such a tool. (A Linux user | know once said 
dismissively, “If you want to use graphic tools, use Windows.) 
However, for other people, any tool that helps them avoid 
mistakes or the need to memorize a lot of parameters is a 
welcome addition to their toolset. 


Webmin won't let you avoid actually learning about Linux 
though. You can’t merely start using it and change configura- 
tion settings without knowing perfectly well what you are 
doing. If you know what needs be done and how to do it, 
Webmin can save you from having to memorize lists of param- 
eters or configuration files, and it will help you get things 
done quickly and safely. On the other hand, don't ever use 
Webmin as an experimentation tool. It’s quite likely you could 
really mess things up. 

Webmin runs not only on Linux, but on UNIX and FreeBSD as 
well. Here's a partial list of supported systems and distributions: 
Asianux, Caldera, Debian, FreeBSD, Gentoo (and Sabayon), 
HP-UX, IBM AIX, LinuxPPC, Lycoris, Mac OS X, Mandriva 
(and Mandrake and Conectiva), MEPIS, NetBSD, OpenBSD, 
PCLinuxOS, PlayStation Linux, Red Hat (and CentOS and Fedora), 
Scientific Linux, SCO OpenServer and UnixWare, Slackware, Sun 
Java Desktop System, Sun Solaris, SUSE and OpenSUSE Linux, 
Turbolinux, Ubuntu (and derivatives like Kubuntu or Xubuntu), 
Xandros, Yellow Dog Linux and Yoper Linux. 

If your favorite distribution isn’t included, some Webmin 
modules might not work, so be careful. If you are using a dis- 
tribution derived from one that is on the list, it’s a fair bet you 
won't have any problems, but don’t say | didn’t warn you. 

By the way, why this state of affairs? The problem is a lack 
of standardization. Distributions use different locations for 
various configuration files, and if Webmin can’t find them, it 


won't be able to function. This may change for the better 
over time, when (if) all distributions fully embrace the Linux 
Standard Base (LSB) and comply with the standards related to 
file placement. But, that certainly hasn’t happened yet. To 
mention a simple example, I’m currently using OpenSUSE, and 
it uses /srv/www/htdocs as the root for Web sites. Most other 
distributions use /var/www/html. So, you can see that a config- 
uration module might have serious problems finding Web files 
if it didn’t know about this difference. 

What do you need to run Webmin? Just a browser, Perl, a 
Java Runtime Environment (JRE) for some functions and the 
root password. After you become familiar with Webmin, you'll 
be able to forget about ever editing configuration files (like all 
those in the /etc directory) or starting, stopping and reloading 
services. If you set up Webmin correctly, you even will be able 
to administer your server from a remote machine. 


Installation 

Webmin is available under the GPL, so you can get it without 
any problems. The latest version (as of the time of this writing) 
is 1.380, and it's being developed actively. The easiest way to 
install Webmin is with your favorite package manager. Even 
though | am an OpenSUSE user, | prefer Smart to YaST, so a 
simple smart install webmin command did the job for me. If 
you don’t get the latest version this way, don’t worry. You can 
fix that just by using Webmin itself; keep reading. 
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The other method of installation is to go to the download 
site, download the appropriate version for your system, and 
follow the instructions on the left side of the page. There are 
two options here. You can get the full package (with all 
available modules), or you can get the minimal edition and 
add the modules you require afterward, using Webmin’s 
own update features. 

After installing Webmin, you need to start a service. 
Working as root (use su), do chkconfig webmin on (to ensure 
that Webmin starts every time you turn on your machine. 
Then do /etc/init.d/webmin start to start it immediately. 
You're all set. 

Using Webmin is simple. Open your favorite browser, 
and navigate to http://localhost:10000 (or the equivalent, 
http://127.0.0.1:10000), and you'll see Webmin’s login page. 
Next, enter the user name and password for the system 
administrator (in many distributions, that would be root, 
but Ubuntu and others grant sysadmin rights to specific users 
instead), and click the Login button. You could check the 
Remember login permanently box, but that’s a security risk, 
so | recommend not doing that. 
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Figure 1. Initial Webmin Login Screen 
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Figure 2. After logging in, you'll see a menu and system information on 
the screen. 


If you want to save yourself some typing, save that address 
as a bookmark. For example, in Firefox, either press Ctrl-D or 
go to Bookmarks—>Create new bookmark. Alternatively, for 
even less typing, create a desktop icon. If you use KDE, 
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right-click on your desktop, select Create New-=Link to Location 
(URL), enter the URL above, and click OK. (The process is similar 
if you use GNOME.) You can make it even snazzier by right- 
clicking on the newly created icon and changing its image to 
/usr/libexec/webmin/images/webmin.xpm (this path might be 
different for distributions other than OpenSUSE). 


Upgrade 

Once you have Webmin installed correctly, upgrading it or 
adding more modules is a breeze. On the left-side menu, 
select Webmin—Webmin Configuration, and you'll see a 
screen full of icons. If you click Upgrade Webmin (the 
up-pointing blue arrow), you can upgrade Webmin itself from 
the Internet. Note that you can click on Scheduled Update to 
set up a cron task that will connect to the Web and download 
all needed updates on its own. This is a safe option (for you'll 
definitely get all updates and bug fixes as soon as possible), 
but it’s also an unsafe one (should the Webmin Web site itself 
ever be hacked). So, | leave it up to you to decide whether you 
want to do this. 
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Figure 4. You can upgrade Webmin or add new modules without any 
other tools. 


On the same Webmin Configuration page, if you click the 
Webmin Modules icon (the one with small boxes), you can 
browse all available modules on the Webmin site or even 
download third-party modules from other sites. Choosing the 
Standard Module option provides a pop-up window with 
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Figure 5. Webmin has its own database of users. 


dozens of modules (| haven't been able to figure out whether 

there’s a method to the list's organization). If you click a mod- 

ule name, and then click Install Module, Webmin downloads it 
and sets it up for you. 


Users and Groups 

Before moving on, let’s talk about security and users. 
Webmin has its own users, which are not the same as the 
operating system users. The very first time you log in, it 
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Figure 6. Using password restrictions provides higher security levels. 


automatically creates a root user. You shouldn't let every 
user work with this account. It’s safer if you create specific 
accounts and restrict each one to needed functions. To do 
this, click Webmin on the left-side menu, and then 
Webmin Users. 

When adding users, you can opt to give them a specific 
Webmin password or use “Unix authentication”. The former 
option is usually safer (but only if users choose a password 
different from their standard passwords), and the latter option 
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FEATURE Graphic Administration with Webmin 


Usermin: 
A TOOL FOR in. USERS 


Usermin is a close relative of Webmin, designed 
to allow end users to manage several administra- 
tive functions on their own, such as changing 
passwords and user details, managing mail 
(though a standard e-mail client is a better solu- 
tion) and more. Usermin is available by default 
when you install Webmin. You can access it by 
navigating to http://127.0.0.1:20000, where you'll 
see an interface very much like Webmin’s, but 
with far fewer functions. In fact, you can configure 
which functions will appear with Webmin. Start 
that program, go to Webmin—Usermin 
Configuration—Available Modules, and select 
which modules should be available via Usermin. 
You don’t need to log in to use Usermin; it will 
assume the rights of the current user. 


is the friendliest one. The Password Restrictions screen lets you 
set specific controls, so users can’t use too short, simple or 
easy-to-guess passwords. 

Instead of assigning rights to each user, you can create 
groups. Go to Webmin—Webmin Users, and click Create 
a new Webmin group. Select what functions should be 
allowed to members of this group, and finish by clicking 
Create. From now on, when you create new users, you can 
specify to which group they belong, and their rights will be 
assigned automatically. 

You also should take a look at the Unix User Synchronization 
option, which allows the automatic synchronization of 


Linux users and Webmin users. You can set it up so that 
every time a Linux user is created/deleted, a corresponding 
Webmin user also is created/deleted. The Unix User Authentication 
option also might be of interest if you have many users 
who should be allowed access to Webmin. Additionally, 
you can use the View Login Sessions to check whatever 
the users might have done. 


Using Webmin is quite simple, as you might already have 
guessed from the examples above. Choose a category from 
the menu on the left side of the screen, and it opens up, 
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showing a list of available modules. The main page for 
each module usually includes a Module Config link on its 
top-left corner, which lets you do some configuration, and 
a Help link that provides documentation on the module's 
functions. Here are the categories: 


m& Webmin: provides general configuration, including 
language and theme selection (you can use Webmin in 
more than 40 languages), upgrades, module installation, 
logging options, log browsing and more. If you want 
to make your installation more secure, check the 
Authentication option (allowing, among other things, 
protection against brute-force password-cracking 
attacks), and also check IP Access Control and Blocked 
Hosts and Users. If you have the Servers module 
installed, you can use it to scan for other Webmin 
servers and administrate them remotely—although it 
won't be as speedy. 


m@ System: covers many different functions. You can con- 
trol backups with the third-party option for the Bacula 
backup system or with a far simpler filesystem backup 
that uses either tar or the dump-and-restore family of 
commands to save directories to tape or to a file on 
another filesystem. Bootup and Shutdown lets you spec- 
ify which services will be run at which levels, and also 
(obviously) to reboot or shut down the system. For user 
management, check Users and Groups (which allows 
you to create, edit or delete both users and groups) and 
Change Passwords, whose function is obvious. The Disk 
and Network Filesystems module lets you mount or 
unmount devices and filesystems, and Disk Quotas will 
be of interest if you have assigned file space quotas to 
users. You can schedule commands to run once (think 
atd) or have periodical jobs (think cron). You can get a 
top-like display of processes (but it won't refresh on its 
own) with the Running Processes option, and you can 
find plenty of information by clicking on a process id. 
Finally, to cut the list short, the Software Packages 
option allows you to install or remove a software 
package on the server remotely. 


@ Servers: this category has to do with all the possible servers 
you might be running, including Web-related functions, 
such as Apache or FTP; mail functions (Fetchmail, Postfix, 
Qmail, Sendmail) and filters (ProcMail, SpamAssassin); file 
sharing (Samba); databases (MySQL, PostgreSQL); network 
functions (DHCP, SSH, DNS, SLP); proxying (Squid); and 
several similar functions. There are several options for each 
of these modules, so you'll want to click on each of them 
to see the available features. 


m@ Networking: covers more-specific network-related options, 
including configuration (interfaces, routing, gateways, DNS 
client, host addresses); services; connection (ADSL client, 
Bandwidth Monitoring, PPP, SSL tunnels, VPN); security 
(Kerberos5, IPsec); firewalls (the Linux Firewall provides an 
iptables-based configuration, and there’s an option for 
the Shoreline shorewall firewall too); and more, including 
NFS and NIS. 
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Figure 8. You can configure Apache fully with Webmin. Here, you can 
edit the default server attributes. 
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Figure 9. Webmin provides an alternative to PHPMyAdmin for configur- 
ing MySQL databases. 


@ Hardware: lets you control disks and volumes (including 
LVM, RAID and disk partitions; you also can use Smart to 
check the status of your disk units); printers; CD burning; 
and the system clock. If you are using GRUB, you can edit 
its options from here too. 


lM Clusters: includes several options you will use only if 
you are running two or more machines forming a 
cluster, with the Heartbeat monitor—a rather more 


specialized setup, which proves once again that you 
need to know what you're doing before starting to mess 
with Webmin. 


® Others: a catchall for several options, including a command 
shell (implemented via a Java applet) for full console access, 
or Custom Commands, which allows you to set up and exe- 
cute commonly used commands, with optional parameter 
substitution—a fine tool if you need to make some com- 
mands available to inexperienced users. There also is a File 
Manager (another Java applet), SSH/Telnet remote login, an 
HTTP tunnel for accessing Web pages, data files upload and 
download, and more. 


Conclusion 

Can you benefit from Webmin? Who should use it? Jamie 
Cameron, Webmin’s creator, said this program “may be 
better suited for less-experienced users who are unfamiliar 
with configuration file formats than for enterprise sysad- 
mins who already have a detailed understanding of UNIX”. 
| fully agree with that opinion, although I'd add that even 
if you are quite familiar with configuration files and the 
like, you might welcome an easier (and sometimes quicker) 
way of doing things. 

Webmin packs a quite impressive, always growing, 
number of functions, but it allows you to use only what 
you require, through clear menus and forms, and it detects 
possible errors before they can do any harm. You should at 
least consider it for its learning value, because you can 
examine configuration files before and after each change, 
and, thus, learn how something was (or should have been) 
done. You can't avoid learning about each function before 
diving in, but Webmin provides at least an easier road to 
becoming a more proficient sysadmin.™ 


Federico Kereki is an Uruguayan Systems Engineer, with more than 20 years’ experience teaching 
at universities, doing development and consulting work, and writing articles and course material. 
He has been using Linux for many years, having installed it at several different companies. He is 
particularly interested in the better security and performance of Linux boxes. 


Resources 


Webmin and Usermin: www.webmin.com 


Webmin Download Site: 
www.webmin.com/download.html 


Linux Standard Base: www.linux-foundation.org/en/LSB 


Smart: labix.org/smart 


LJ pays $100 for tech tips we publish. Send your tip and contact 
information to techtips@linuxjournal.com. 
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Backups to the Future: 
Eliminate Tape Backups 
with FreeNAS and Bacula 


The future of backups is here, but unfortunately, there aren't any Delorians. 


JERAMIAH BOWLING 


Backups in today’s environment are in a state of flux. Tapes 
have been the mainstay of most organizations for years—and 
in some cases, decades. However, as the cost of hard drives 
decreases and their capacity increases, conventional wisdom 
about backups and tapes is changing. Although tapes still 
prove useful for archiving and offsite storage, inexpensive 
disk-based technology slowly is creeping into areas that tape 
has traditionally dominated. 

Many enterprises find it's just as easy and reliable to back 
up data over their network to near-line storage, such as a 
Storage Area Network (SAN) or Network-Attached Storage 
(NAS), instead of tape. Also sometimes referred to as disk-to- 
disk (D2D) backups, the benefits of near-line storage are 
many—especially speed and capacity. When deciding to go 
near line, you really have only two choices: SAN or NAS. Of 
the two, NAS is more cost-practical for most shops. In this 
article, | explain how to implement a near-line backup to a 
NAS to illustrate how easy it is to begin the transition from 
tapes to disks. 

I've chosen two programs for reaching the goal of a tape- 
less backup: FreeNAS (to create a networked storage area for 
backup files) and Bacula (to automate backups and provide a 
pseudo-daily, weekly and monthly rotation). 

To keep things simple, let's build two systems, one running 
FreeNAS and one running Bacula on top of Fedora 8. All 
configuration done on the Bacula system for this article was 
performed as root, but it also could be done with sudo. Bear 
in mind, the options covered in both programs here represent 
only a handful of their full capabilities. 


FreeNAS 
FreeNAS is one of the simplest programs | have ever deployed. 
It’s small enough to run a system from a CD or USB key. 
However, for this example, let's install it on our server to the 
local hard disk. On your system, | suggest at least 256MB of 
memory and SATA drives for decent performance. If you want 
to use RAID on your drives, use hardware-based solutions. 
They are faster, and there have been issues with the built-in 
software RAID capabilities of FreeNAS. If you opt to use hard- 
ware RAID, check the FreeBSD hardware compatibility list, on 
which FreeNAS is based, before making a purchase. 
Download the latest ISO from the FreeNAS site, and burn 
it to CD (version .684b at the time of this writing). Boot the 
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system from CD, and when you come to the options menu 
(Figure 1), select option 7 to install the server image to a local 
hard disk. Next, select option 2 to create two UFS partitions. 
UFS is the native filesystem in FreeNAS, and as we plan to 
access our data on the disk via a networked protocol (NFS), 
any system should connect to it. Select these options to create 
a small partition for the server software, and use the rest of 
the space for a second data partition. When prompted, enter 
the name of the CD drive (acdO in my install), and then enter 
the destination drive (daO). When the install routine is com- 
plete, enter 3 at the prompt to return to the main menu, and 
then enter 1 to assign an interface. Accept the default inter- 
face, and give it an IP address (unless you are using DHCP). 
Once assigned, return to the main menu, and reboot the 
machine. Remove the CD, and the system now should boot 
from the system partition on the disk. 


Figure 1. FreeNAS Install Options 


Once the system is back up, open a Web browser from 
another system, and enter the IP of the FreeNAS machine as 
the URL to access the management site. At the prompt, enter 
admin as the user name and freenas as the password. From 
this management site, you can change a multitude of settings, 
but for now, we need to change only our hostname (Figure 2), 
mount the auto-created DATA partition and enable NFS. 

Click the Management link under the Disks section of the 
Web page. You should see a message saying that you need to 
add your hard drive to the disk list. Click the + icon to add it 
(Figure 3). Leave all the options at their defaults, except 
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Figure 3. Adding the Disks 


PreFormatted FS. Set this to UFS, as FreeNAS already has done 
the work for us. Once you click the Apply Changes button, the 
status column of your disk will change to ONLINE. 

Now click the Mount Point link, and click the + icon again 
on this page to edit the Mount Point properties (Figure 4). 
From this screen, change the partition to 2, as partition 1 is 
the system partition, which cannot be used. Leave the File 
System as UFS, and enter DATA as the share name. Click Add 
when finished. This takes you back to the original Mount Point 
page. Click Apply Changes. 

Under the Services links, click NFS. Check the Enable 
box to turn NFS on, and type your network address range in 


Figure 4. Mounting the DATA Share 


CIDR notation. Click the Save button, and your NAS build 
is complete. 


Bacula 

With the FreeNAS system in place, let's start building the 
Bacula system. The test system used here was built on Fedora 
8 (Werewolf) with GNOME, because it includes Bacula and its 
dependencies in its core RPM library. To add the necessary 
packages and related dependencies, all you need to do is use 
the Add/Remove Software utility under the Applications menu. 
When ready, install the following packages: 

@ bacula-client 

® bacula-common 

® bacula-console 

@ bacula-gnome 

® bacula-console-gnome 

@ bacula-console-wxwidgets 

®@ bacula-director-common 

@ bacula-director-mysql 

@ bacula-docs 


® bacula-storage-common 


®@ bacula-storage-mysql 
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FreeNAS is one of the simplest 
programs | have ever deployed. 
It's small enough to runa 
system from a CD or USB key. 


® bacula-traymonitor 
m mysq| 


When the installs are complete, start mysqld, and set it to 
start runlevel 5 from the Services utility in GNOME or use 
chkconfig. If you're using a different distribution, you need to 
use the Bacula source files and make/configure the install to 
get to the next step. This can be more challenging than using 
an RPM, because of the numerous command-line install 
options available. 

Next, open a terminal to create the MySQL tables needed 
for Bacula to operate. Run the following scripts created by the 
Bacula RPM: 


/etc/alternatives/create_bacula_databases 
/etc/alternatives /make_bacula_tables 
/etc/alternatives /grant_bacula_privileges 


After setting up the database, create a local mountpoint 
(like /mnt/freenas), and mount the FreeNAS share created 
previously. An easy way to do this on every startup is to add 
the following line to your /etc/fstab file: 


FreeNASServerHostName: /mnt/DATA /mnt/freenas nfs defaults® 0 


To mount the partition immediately, type mount -a. 

Before moving on to editing Bacula’s configuration files, 
here’s how Bacula works. The Bacula program is composed 
of three separate daemons: the director, the storage deamon 
and the file daemon. The director is the boss. It’s the main 
server daemon that defines jobs, pools, schedules and most 
of the important settings related to backups. As such, the 
majority of setup deals with its configuration file /etc/bacula/ 
bacula-dir.conf. The storage daemon (SD) controls the media 
written to by Bacula, usually either tapes or disks. These items 
are configured in the bacula-sd.conf file. The file daemon (FD), 
also referred to as the client, runs locally on any system you 
want to back up. Two other related utilities used here are the 
GNOME console (gnome-console.conf) and the tray-monitor 
(tray-monitor.conf) utility. 

With this basic knowledge of Bacula’s interoperation, 
open your /etc/bacula/bacual-dir.conf file, and add the fol- 
lowing lines (for brevity, | have added only those sections 
used in our scenario): 


JobDefs { 
Name="UserHomes" Type=Backup Client = bacula-fd 
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FileSet = 
"UserHomeFolders" Storage = File Messages = Daemon 


Job { 
Name = "WeeklyHomeBackups" 
JobDefs = "UserHomes" 
Level = Full 


Schedule = WeeklyFullandDiffs 

Pool = Weekly 

Priority = 10 

Write Bootstrap = 
"/var/spool/bacula/WeeklyHomeBackups.bsr" 


} 

Job { 
Name = "MonthlyHomeBackups" 
JobDefs = "UserHomes" 
Level = Full 


Schedule = MonthlyFull 

Pool = Monthly 

Priority = 10 

Write Bootstrap = 
"/var/spool/bacula/MonthlyHomeBackups.bsr" 


Schedule { 
Name = "WeeklyFullandDiffs" 
Run = Level=Full Pool=Weekly sun at 3:00 
Run = Level=Differential Pool=Diffs mon-fri at 3:00 


Schedule { 
Name = "MonthlyFull" 
Run = Level=Full Pool=Monthly Ist sat at 3:00 


FileSet { 
Name = "UserHomeFolders" 
Include { 

Options { 
compression=GZIP 
signature = MD5 

} 


File = /home 


Pool { 
Name = Weekly 
Pool Type = Backup 
Recycle = yes 
AutoPrune = yes 
Volume Retention = 6 days 
Maximum Volumes = 5 


Label Format = Bkup-Full 


Pool { 
Name = Diffs 
Pool Type = Backup 
Recycle = yes 
AutoPrune = yes 
Volume Retention = 23 hours 
Maximum Volumes = 1 
Label Format = Bkup-Diff 


Pool { 
Name = Monthly 
Pool Type = Backup 
Recycle = yes 
AutoPrune = yes 
Volume Retention = 364 days 
Maximum Volumes = 12 
Label Format = Bkup-Monthly 


Although it may seem odd to start at the bottom and dis- 
cuss the Pool section, it is vital that it is configured correctly. A 
pool is simply a collection of volumes. Volumes are tapes or 
disks to which the backup files are written. A pool can contain 
any number of volumes, but it must have at least one volume. 
Here, we have set up three pools: a weekly full, a differential 
and a monthly. This allows us to maintain backups for the 
current week up until the previous day and a 12-month 
rotation for our monthly backups. 

Then, going from the top section down, there is a Job 
Definitions JobDefs) section, and two Jobs modeled around 
our backup strategy. The JobDefs section defines 
common properties that several jobs share, like a 
template. In it, we have listed settings common to 
both jobs. The Schedule section defines when a 
given job runs and how often. The schedules listed 
here run weekly backups every Sunday, daily differ- 
entials Monday through Friday and a monthly back- 
up the first Saturday of every month. The Fileset sec- 
tion lists what folders and files to back up and with 
what options. For this example, we have set Bacula 
to back up the local users’ home folders, a common 
scenario for backups. Recursion is enabled by default 
on FileSets, so we need to specify only the parent 
folder. The backup files also are set to compress 
using gzip and to hash/encrypt themselves using 
MD5. Doing both is good practice. 

Before saving and closing the file, go through and 
change any instance of @@Password@@ or like 
entries to a common password. Rather than cover 
how each Bacula daemon authenticates with the 
other, it’s easier simply to change all of them to the 
same password for the time being and get the system 


‘& (0 Service Configuration _ 
Figure 5. Start all three Bacula daemons, and set them to runlevel 5. 


Running a backup is quite simple, as 
you already have done most of the 
work by editing the bacula-dir.conf file. 


up and running. You can change these passwords later if 
desired. Change any other password-related fields in the follow- 
ing files to the common password as well: bacula-sd.conf, 
bacula-fd.conf, bconsole.conf, gnome-console.conf and 
tray-monitor.conf. After changing the passwords, you also need 
to change any references to your host in all the .conf files, so 
each daemon can communicate with each other. If all of the 
daemons run locally, you can use localhost. You also could use 
an FQDN or IP address. The field you want to edit is listed under 
each section as Address. So, for example, change the line: 


Address = server.example.com 


to: 


Address = localhost 


You also could search for the client.example.com and 
storage.example.com entries to find some of the other entries 
that need to be changed. Once the passwords and Address 
fields have been set, open the /etc/bacula/bacula-sd.conf file 
in your editor, and comment the following line in the Device 
section of the Filestorage device: 


Archive Device = /tmp 


Then, add the line below in its place to associate the locally 
mounted FreeNAS partition with the storage deamon so you 
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can back up to it: 
Archive Device = /mnt/freenas 


The final step is to open the Services utility under System—> 
Administration, and check the box to set bacula-dir, bacula-sd 
and bacula-fd to start on runlevel 5 (Figure 5). You now can 
use the syntax: 


service bacula-dir|sd|fd start|stop|restart 


to control the daemons. On other distributions, you can 
start the daemons directly from /usr/sbin and use chkconfig 
to set the runlevel. 


Running a Backup Job 

Running a backup is quite simple, as you already have 
done most of the work by editing the bacula-dir.conf file. 
Start the Bacula console from the Applications—System 
Tools Menu (Figure 6) in GNOME. You may need to edit 
the launcher, as | did, to point it to the correct /etc/bacula/ 
gnome-console.conf file. Start the Tray Monitor utility 
from the System Tools menu as well. The Tray Monitor 
(Figure 7) is nice, because it gives you a quick glance at 
the status of the daemons and any running jobs. This is 
helpful when you are multitasking or have jobs that run 
nightly and you want to check their status the next 
morning. Return to the console, and click the Run button 
to bring up the backup job dialog window. Under job, 
select WeeklyHomeBackups (Figure 8). This pre-fills the 
field selections with the items specified in your .conf file. 
You could change any of these options at this point, but 
they must first exist in the .conf file or they will not appear 
in the fields. In other words, you can't create a job from 
the drop-downs without populating the Job section of 
the .conf file. 

Up to this point, there are no volumes, which as previously 
mentioned, need to exist before you can run a backup. Typically, 
you would have to use the label command from the console’s 
command line to create a volume in a pool manually, but 
because of our settings, the system will create them automati- 
cally, auto-name them and recycle them when the volume 
retention period triggers. | like this better than manually creating 
the volumes, as you are less likely to encounter naming errors. 
Click OK to run the job, and view the results in the console. 

If you were to change the Volume Retention setting on the 
same pool, restart the daemons and run the job again, you 
would see the system auto-recycle a volume in the pool for 
the next job. Otherwise, it will prompt you to create a new 
volume, as no existing volumes can be recycled due to reten- 
tion settings. You can run these jobs manually as often as you 
want, but they also will run according to the schedule defined 
in the bacula-dir.conf file. 


Restoring a File 
Restoring a file in Bacula also is remarkably simple. You 
can use either the Restore button on the console toolbar 
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Figure 10. Marking the Files to Restore 


or the restore command. Both are easy to use, but the 
restore command provides more options. To keep it simple, 
let's use the Restore button. When the dialog opens, select 
a job, client, pool and so on from which to restore (Figure 
9), then click Select Files to mark the files/folders you want 
to restore (Figure 10). Before the restore job runs, you will 
be prompted to confirm your options, at which point you 
could type yes, mod or no. Typing mod provides more 
options over the job, including the option to restore to a 
different path from the original one. 


The Beginning of the Future 

Although we have simplified the near-line backup process 
here, it’s only the beginning. Our simple setup has accom- 
plished what we set out to do: back up our data to a 
networked disk. To replace tapes completely in most backup 
strategies, you need some sort of offsite storage/synchronization 
scheme, which I’ve not addressed here. However, once you 


see much faster backups and how much more data you can 
store on a disk, you'll be itching to make the move and get rid 
of those tapes.m™ 


Jeramiah Bowling has been a systems administrator and network engineer for more than ten years. 
He works for a regional accounting and auditing firm in Hunt Valley, Maryland, and holds numerous 
industry certifications including the CISSP. Your comments are welcome at jb50c@yahoo.com. 


Resources 


FreeNAS Main Site: www.freenas.org 


FreeBSD Hardware Compatibility Checklist: 
www.freebsd.org/releases/5.1R/hardware-i386.html 


Bacula: www.bacula.org 
Bacula Download Site: sourcefort.net/projects/bacula 


Bacula Documentation: www.bacula.org/rel-manual/ 
index.html 
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Scalable OpenGroupware.org 


Finally, a scalable groupware solution that matches the offerings from big vendors. 


FRANCIS LACHAPELLE AND LUDOVIC MARCOTTE 


This article is a follow-up to “Linux Groupware Roundup”, 
published in Linux Journal in July 2005. As you might know, a 
few things have changed since 2005: 


™@ CalDAV has been adopted by the IETF as a proposed 
standard, and open-source projects, such as Bedework, 
OSAF Chandler Server (Cosmo), Zimbra and SOGo, 
implement the protocol. 


@ The Sync4j Project, a PIM-data synchronization server, is 
now called Funambol. It also has received major enhance- 
ments in the past few releases. 


@ In 2006, Novell retracted all full-time employees from the 
Hula Project. In 2007, Messaging Architects announced 
the acquisition of NetMail, from which Hula is derived. 
Thereafter, faithful contributors to Hula forked the source 
code in a new independent project named Bongo. 


@ The latest version of Apple Mac OS X Server (code- 
named Leopard) is shipped with a CalDAV server called 
Calendar Server. 


® OpenOffice.org’s groupware client named Glow is being 
replaced by a Mozilla-based PIM suite. 


m A new project named Zimbra obtained considerable 
attention, especially from Yahoo!, who bought the 
company in September 2007. 


The open-source collaboration servers mentioned in the 
2005 article have all survived the competition: 


m@ Both OpenGroupware.org (OGo) and Open-Xchange (OX) 
remain good servers for companies that want to continue 
using Microsoft Outlook, even though these products have 
not integrated any new appealing features during the past 
three years. 


@ Citadel has improved its GroupDAV support, but the 
authors still refuse to implement CalDAV. 


m@ Bedework has forked the UW Calendar Project and quickly 
brought the project to maturity. 


This article focuses on Scalable OpenGroupware.org (SOGo), 
a complete open-source groupware that integrates all 
requirements one would expect from a collaboration suite: 
accessibility, consistent interfaces, scalability and stability. 
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Scalable OpenGroupware.org 

Based on OpenGroupware.org, a project with more than ten 
years of maturity, Scalable OpenGroupware.org provides 
a complete groupware solution oriented toward scalability 
instead of depth in functionality. SOGo offers all standard 
groupware features, including the following: 


@ Personal and shared calendars with events and tasks. 
@ Personal and shared address books with LDAP sources. 
® Personal and shared e-mail mailboxes. 


It also stores calendar information using the iCalendar 
standard and contact information using the vCard format. This 
avoids information loss when exchanging over protocols sup- 
ported by SOGo, such as CalDAV, CardDAV and GroupDAV. 

In development since 2004, the project has greatly improved 
during the past few months. Inverse, developers on the project, 
contributed many improvements, such as CalDAV, CardDAV and 
ACL support. Furthermore, it re-created SOGo's Web interface so 
that it matches the look and feel of Mozilla Thunderbird and 
Lightning (or its standalone equivalent, Sunbird). The interface 
now also makes use of Ajax. Although CalDAV and IMAP take 
care of the calendaring and e-mail integration of the Mozilla 
suite with SOGo, address books also needed to be synchronized. 
Inverse created a plugin for Thunderbird named SOGo Connector 
that adds this functionality among others. 

These contributions allow SOGo to provide Web and native 
interfaces sharing the same look and feel, features and data— 
a considerable advantage and uncommon characteristic com- 
pared with other FOSS groupware solutions. 


Installation 

SOGo depends on a few core components, such as Apache, 
PostgreSQL, an LDAP server and an IMAP server (preferably 
Cyrus IMAP Server, Dovecot or Courier) that uses the LDAP 
server as the authentication back end. You need to install those 
(or reuse existing installations) and get them running properly 
before continuing with the SOGo installation instructions. 
SOGo supports other database back ends, but for this article, 
we assume the use of PostgreSQL and that all components, 
including the LDAP server, are installed on the same server. 
Furthermore, SOGo depends on the following components: 


m™ GNUstep make and base for compiling and installing the 
project and subprojects. 


@ SOPE, for server-side Web application development. 


Start with obtaining GNUstep make and base. If you're 
using Debian, you can install both components with apt-get: 


% apt-get install gnustep-make libgnustep-basel.13 
> Libgnustep-base-dev 


Then, retrieve the SOPE and SOGo's sources from the 
official Subversion server: 


% svn co http://svn.opengroupware.org/SOPE/trunk/ SOPE-trunk 
% svn co http://svn.opengroupware.org/SOGo/inverse/trunk/ SOGo-trunk 


SOPE needs to be patched so that it works well with 
SOGo. Once you have pulled SOPE from the trunk successfully, 
apply the SOPE patch included with SOGo: 


% cd SOPE-trunk 
% patch -pO0 < ../SOGo-trunk/SOPE/sope-patchset-*.diff 


Prior to compiling SOPE and SOGo, make sure to source 
the GNUstep.sh script that comes with GNUstep make. 
This will define some environment variables used by 
GNUstep make when building the packages. When using 


SOGo integrates well with the Mozilla 
suite. Sunbird provides a complete 
client-side calendaring application, 
and Lightning provides a calendaring 
extension to Thunderbird. 


the Debian packages, this script is located in /usr/GNUstep/ 
System/Library/Makefiles/GNUstep.sh. Once sourced, compile 
and install SOPE, as follows: 


% ./configure --with-gnustep --enable-strip --disable-debug 
% make && make install 


And, finally, compile and install SOGo, its Web templates 
and resources: 


% cd ../SOGo-trunk 

% ./configure --with-gnustep 
% make && make install 

% cp -a UI/WebServerResources UI/Templates $GNUSTEP_LOCAL_ROOT/ 
>Library/SOGo-0.9/ 


--enable-strip --disable-debug 


Configuration 
The first step in SOGo's configuration is creating a sogo user. 


Come and join us! 
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Listing 1. Apache Configuration Listing 2. SOGo Configuration Parameters 
Alias  /SOQGo.woa/WebServerResources/ \ NSGlobalDomain = { 
<GNUSTEP_LOCAL_ROOT>/Library/SOGo-0.9/WebServerResources/ Me 
"sogod-0.9" = { 
AliasMatch /S0Go/so/ControlPanel/Products/(.*)/Resources/(.*) \ AgenorProfileURL = "http://sogo:sogo@127.0.0.1:5432/sogo/ 
<GNUSTEP_LOCAL_ROOT>/Library/SOGo-0.9/$1.S0Go/Resources/$2 ™sogo_user_profile"; 
NGUseUTF8ASURLEncoding = YES; 
<LocationMatch "*/SOGo*"> OCSFolderInfoURL = "http://sogo:sogo@127.0.0.1:5432/sogo/ 
AddDefaultCharset UTF-8 ™sogo_folder_info"; 
SetHandler ngobjweb-adaptor SOGoAppointmentSendEMailNotifications = YES; 
SetAppPort <sogod-0.9 port> SOGoAuthentificationMethod = LDAP; 
</LocationMatch> SOGoDefaultLanguage = English; 
SOGoDefaultMailDomain = example.com; 
<LocationMatch "*/SOGo/so/ControlPanel/Products/.*UI/Resources/.*png"> SOGoDraftsFolderName = INBOX.Drafts; 
SetHandler default-handler SOGoFallbackIMAP4Server = localhost; 
</LocationMatch> SOGOLDAPSources = ( 
{ 
<LocationMatch "*/SOGo/so/ControlPanel/Products/.*UI/Resources/.*gif"> CNFieldName = displayName; 
SetHandler default-handler IDFieldName = cn; 
</LocationMatch> UIDFieldName = cn; 
baseDN = "ou=example,dc=com" ; 
<LocationMatch "*/SQGo/so/ControlPanel/Products/.*UI/Resources/.*css"> bindDN = "cn=superuser ,ou=Users ,dc=example,dc=com" ; 
SetHandler default-handler bindPassword = OxdeadkOw; 
</LocationMatch> canAuthenticate = YES; 
displayName = "Corporate Directory"; 
<LocationMatch "*/SO0Go/so/ControlPanel/Products/.*UI/Resources/.*js"> hostname = 127.0.0.1; 
SetHandler default-handler id = public; 
</LocationMatch> isAddressBook = YES; 
port = 389; 
} 
The SOGo deemon runs under this user: Ng 
SOGoMailSpoolPath = "/var/spool/sogo"; 
% adduser sogo SOGoMailingMechanism = smtp; 
SOGoOtherUsersFolderName = "Other Users"; 
Once you've created the user, you need to configure SOGOSMTPServer = 127.0.0.1; 
Apache. Do echo $GNUSTEP_LOCAL_ROOT, and remember SOGoSentFolderName = INBOX. Sent; 
the value, as it will be required shortly. Create the file SOGoServerTimeZone = Canada/Eastern; 
/etc/apache2/conf.d/SOGo.conf (elsewhere if you are not using SOGoSharedFolderName = "Shared Folders"; 
Debian) with the content shown in Listing 1. S0GoSpecialFoldersInRoot = YES; 
You must replace <GNUSTEP_LOCAL_ROOT> with the echoed SOGoTrashFolderName = INBOX. Trash; 
value of $GNUSTEP_LOCAL_ROOT (/usr/GNUstep/Local under SO0GoUseLocationBasedSentFolder = YES; 
Debian). Once the file has been created, restart Apache. WOMessageUseUTF8 = YES; 
Now you can proceed with the SOGo database creation. WOParsersUseUTF8 = YES; 
Because we use PostgreSQL here, perform the following steps: WOPort = 25000; 
WOUseRelativeURLs = NO; 
% su - postgres he 
% createuser --no-createdb --no-adduser --encrypted --pwprompt sogo } 


% createdb -0 sogo sogo 


% exit 
For now, the most important parameters in the 
Before starting SOGo, configure it with a basic set of con- configuration file from Listing 2 are AgenorProfileURL and 
figuration parameters. The configuration file is located in OCSFolderlnfoURL, which must point to your PostgreSQL 
$HOME/GNUstep/Defaults/.GNUstepDefaults, where $HOME is database server. SOGoLDAPSources must point to your LDAP 
the home directory of your sogo user. Create this file with the server. In this example, the LDAP source will be used not only 
content shown in Listing 2. for authentication but also to provide a shared address book 
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called Corporate Directory, which will be accessible both from 
the Web and native interfaces. 
Finally, launch the SOGo dzemon: 


% /usr/local/sbin/sogod-0.9 
From Firefox, you now can access http://localhost/SOGo. 


You will need to provide the user name/password that you 
normally use for IMAP. Figure 1 shows SOGo’s login window. 
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Figure 1. Login Window 


Mozilla Integration 

SOGo integrates well with the Mozilla suite. Sunbird provides a 
complete client-side calendaring application, and Lightning pro- 
vides a calendaring extension to Thunderbird. Combining Lightning 
and Thunderbird results in a complete PIM solution for managing 
e-mail, calendars (events and tasks) and contacts efficiently. 

To connect the Mozilla PIM suite to SOGo, first install and 
configure Mozilla Thunderbird to use the IMAP protocol. Then, 
download the latest releases of Lightning and the SOGo 
Connector extension. From Thunderbird’s Tools menu, choose 
the Add-ons option, and install the extensions you just down- 
loaded. Restart Thunderbird to activate the extensions. 

The next step is to configure Lightning’s CalIDAV connector. 
From Thunderbird’s File menu, choose New->Calendar, and create 
a network calendar of type CalDAV. Specify the appropriate URL to 
connect to your SOGo server. Usually, it should be http://localhost/ 
SOGo/dav/<username>/Calendar/personal/. Next, configure the 
SOGo Connector Thunderbird. From the Address Book's File 
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menu, choose New->Remote Address Book. Give your address 
book a name, and as the URL, specify something like 
http://localhost/SOGo/dav/<username>/Contacts/personal/. 

You also can use the shared address book provided by 
SOGo (which uses your LDAP server, named Corporate 
Directory) from Thunderbird. To do so, repeat the procedure to 
create a remote address book, but as the URL, specify 
http://localhost/SOGo/dav/<username>/Contacts/public/ and 
check Read Only. 

Once completed, your personal calendar and address book 
are now fully synchronized with SOGo. Events, tasks, contacts 
or e-mail are now accessible from either SOGo’s Web interface 
or from Mozilla Thunderbird/Lightning. 

Figure 2 shows SOGo's Web interface with one personal 
and one shared calendar. Figure 3 shows the same information, 
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Figure 3. SOGo as Seen from Thunderbird and Lightning 
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but using the Thunderbird and Lightning extension. 


Although SOGo’s Web interface allows you to access all infor- 
mation from virtually any computer connected to the Internet, 
some power users need access from their mobile devices, such 
as cellular phones or personal digital assistants. Supporting the 
plethora of devices out there is almost impossible, but the 
SyncML standard finally emerged as an efficient protocol for 
synchronizing PIM-related information between your mobile 
devices and groupware platform. 

Funambol, formerly known as Sync4j, is middleware that sits 
between a groupware server and SyncML-capable devices. Luckily 
for SOGo, a native connector is available for Funambol. This plugin 
lets you connect the middleware to SOGo, so users can synchro- 
nize their contacts, events and tasks with the SOGo server. 

Mobiles devices require a SyncML client to synchronize 
data through Funambol. Most cellular phones have a built-in 
client, but PDAs or smartphones lack one. The recommended 
clients are as follows: 


Synthesis SyncML standard if you're using PalmOS-based 
devices. 


Figure 4. SOGo from a PDA 
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m Nexthaus SyncJe if you're using a BlackBerry. 


® Funambol Windows Mobile clients if you‘re either using 
Windows CE on a PDA or a smartphone. 


There also are clients for other applications, such as Microsoft 
Outlook. The latter allows you to synchronize contacts, events and 
tasks fully with SOGo through the Funambol middleware. 

Figure 4 shows a PalmOS-based device insync with our 
SOGo server. 


Migrating from Legacy Systems 

Whenever you're replacing an existing solution with a new 
one, data migration is a must for your users. Because SOGo 
stores its data directly using the iCalendar and vCard stan- 
dards, migration is relatively easy if the legacy system speaks 
the same language. 

For example, in Microsoft Exchange, you can obtain data 
from it through WebDAV. If you are trying to use a simple 
WebDAV client, such as cadaver, however, you will not be able 
to obtain the data, as the client does not specify in its 
requests a required HTTP header. You need to set the HTTP 
translate header to false if you want to obtain the data from 
the Microsoft Exchange server. Using wget, if you do: 


wget --user=Ludovic --password=***** --header "Translate: f" 
http: //exchange/Exchange/1ludovic/Calendar/foo. EML 


you will obtain the event with a summary “foo” in the 
foo.EML file. The EML file is actually an RFC 2821 message 
with a text/calendar part. That part can be extracted and 
imported into SOGo easily. WebDAV is de-emphasized in 
Microsoft Exchange 2007, so hurry and migrate from it. 

A similar approach can be used with Oracle Calendar. A demo 
program bundled with Oracle’s SDK provides an excellent starting 
point for becoming familiar with the shared library named capi. 
With this library, you can retrieve a user's events formatted with the 
iCalendar standard. As with Microsoft Exchange, the migration 
process is simply to push all events in SOGo through WebDAV. The 
Oracle Calendar’s only limitation is related to recurring events; even 
though a series of events can be identified clearly, there is no easy 
way to retrieve the original recurrence rule definition. This frustra- 
tion surely will be attenuated by the advantages of SOGo, such as 
endless recurring events and a much more modern Web interface. 


Conclusion 

Standards, such as CalDAV and SyncML, finally have 
emerged that improve interoperability between native 
groupware clients and various servers. Open-source 
developers have proven their commitment in supporting 
those standards and created competitive alternatives to 
commercial solutions. 

The Scalable OpenGroupware.org Project always has fol- 
lowed the same motivation—to offer an open-source, scalable 
groupware solution that integrates nicely with the Mozilla PIM 
suite, while not neglecting mobile users. This article should 
help you get started with SOGo, so you can test its functionali- 
ties for yourself. Join the mailing list to discuss your experience 
with the developers.m™ 


Francis Lachapelle (flachapelle@inverse.ca) holds a Bachelor's degree in Computer Engineering 
from McGill University. He is currently a senior systems architect for Inverse, Inc., an IT consult- 
ing company located in downtown Montréal that specializes in the deployment of infrastructures 
based on free and open-source components like PacketFence and SOGo. 


Ludovic Marcotte (ludovic@inverse.ca) holds a Bachelor's degree in Computer Science from the 
University of Montréal. He currently is the practice leader for Inverse, Inc., an IT consulting com- 
pany located in downtown Montréal that specializes in the deployment of infrastructures based on 
free and open-source components like PacketFence and SOGo. 


Resources 


Scalable OpenGroupware.org (SOGo): 
www.scalableogo.org 


SOGo Connector for Thunderbird: www.inverse.ca/ 
english/contributions/sogo_connector.html 


Funambol: www.funambol.org 


Funambol SOGo Connector: www.inverse.ca/ 
contributions/funambol.html 


Nexthaus SyncJe for BlackBerry: www.nexthaus.com 


Synthesis SyncML Standard for PalmOS: 
www.synthesis.ch 


gu¢),@8|:5 Take a Screenshot from an X Terminal 


To take a screenshot of the entire screen and save the image 
as screenshot.png, use the command: 


$ import -window root screenshot.png* 
To select an area to capture with a crosshair, use import 


without the -window option. 
To take a screenshot of a specific area of the screen, 
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use the -crop, option along with the dimension in pixels, 
for example: 


import -crop 300X250 
The import utility is part of the ImageMagick suite 
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Hacking the Eee PC 


How to tweak your Eee PC. JES HALL 


ASUS’ diminutive sub-notebook, the Eee PC, has so far 
exceeded expectations and is sold out virtually everywhere. Its 
simple interface and wallet-friendly pricing have contributed to 
making the Eee the most popular gadget this season. 

It’s in the hands of the power user that the Eee really 
shines. With hardware support already taken care of, the Eee 
offers an opportunity for beginning-to-intermediate Linux 
users to customise themselves a flexible Linux-based tool using 
the Eee’s easy or full desktop mode. 

In this article, we take you through tweaking your Eee, 
although in the interest of preserving your warranty, most of 
the hacks here are focused on software. The first and most 
important hack is to read the manual that came with your Eee 
to make sure you're completely up to date on everything. 
When you read the manual (because you are going to read it, 
right?), you'll notice that ASUS mentions the keyboard short- 
cut Ctrl-Alt-T to launch a terminal. Gaining root on the default 
Eee install is as simple as issuing the command: 


sudo -s 


There is no password; any person who can open a terminal 
is able to gain root. 

ASUS’ easy mode uses a customised IceWM 
(www.icewm.org), a standard X11 window manager 
that’s been around for a very long time. It’s relatively easy 
to customise to your liking. The first step is creating a 
directory for local modifications. Open a terminal using 
the aforementioned keyboard shortcut, and type: 


mkdir ~/.icewm 
cp /etc/X11/icewm/* /home/user/.icewm/ 


This creates a local customisation directory and copies the 
ASUS IceWM configuration into it, ready for you to modify. As 
not all of the software that ships with the Eee is accessible 
through the easy mode launcher, the first useful thing to 


With hardware support already 
taken care of, the Eee offers an 
opportunity for beginning-to- 
intermediate Linux users to 
customise themselves a flexible 
Linux-based tool using the Eee’s 
easy or full desktop mode. 
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Figure 1. The lceWM Menu, with the Menu File in the Background 


tweak on the Eee is to add the IceWM panel menu and edit it 
to add those applications that aren't exposed through the easy 
mode interface. 

To enable the menu, edit ~/.icewm/config, and scroll down 
to the option named TaskBarShowStartMenu. Change the 0 in 
the uncommented value to 1, and save the file. You need to 
restart your Eee for the menu to show up: 


# Show 'Start' menu on task bar 
# TaskBarShowStartMenu=1 # 0/1 
TaskBarShowStartMenu=1 


To edit the menu, open ~/.icewm/menu in your favourite 
editor. The menu format is pretty simple, following the syntax: 


prog label icon command 
where label, icon and command are replaced with the appropri- 
ate entries for the application you want to launch. For exam- 
ple, to add an entry that launches Konsole, the KDE terminal 
emulator, you would create an entry as follows: 
prog Konsole konsole konsole 

Submenus are described with the following syntax: 


menu "Label" { 


} 


Program entries or further submenus are defined between 
the curly braces. 

The first thing we all thought on using the Eee when we 
first received it was “the Windows XP theme doesn’t look 
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Figure 2. A broad selection of attractive themes are available for IceWM. 


attractive on XP, let alone on Linux. How the heck do we 
change this abomination?” 

You'll be pleased to know that this is extremely simple, 
now that the menu is enabled. The biggest theme repository 
for IceWM is at themes.freshmeat.net/browse/925, with 
hundreds of themes from which to choose. Once you've 
downloaded a theme, create the folder ~/.icewm/themes, and 
extract the theme to that folder. It will now be selectable from 
the IceWM menu under Settings—Themes. 

You can find a wide range of other customisations by 
reading the comments in the ~/.icewm/preferences file. Some 
notable ones are showing the workspace switcher on the 
panel and adding a CPU meter. Traditional window manager 
settings, such as focus model, are available as well. 

With a built-in Webcam, it’s a shame that the Eee PC 
didn’t ship with the Linux beta of Skype that allows video 
calling. It is, however, easy to install by hand. Navigate to 
www.skype.com/download/skype/linux, and elect to 
download not the current stable version, but the beta. When it 
asks you to select your distribution, download the package for 
Debian Etch. Once you've downloaded it to disk, open a 
terminal and navigate to where the file was saved. Type the 
following to install the package: 
dpkg -i skype-debian_2.0.0.27-1_i1386.deb 
The version number of the package may have changed 
since the time of this writing. As this upgrades the version 
of Skype already installed, the Skype launcher will launch 
the new version. 

During the course of adding applications to the menu, the 
observant will notice that the Eee ships with most of KDE 
installed. During its development phase, the Eee exposed an 
option to enable a full desktop mode with a complete KDE 3.4 
desktop. The most elegant solution for enabling the full desk- 
top is to install a package that does the configuration for you 
from wiki.eeeuser.com/howto:getkde. This package essen- 
tially downloads the packages for kicker and ksmserver, and 
modifies the ASUS startup scripts. It adds an option to log in 
to full desktop mode from the easy mode shutdown dialog. 
To get back into easy mode, there is an option in the K menu. 


Figure 3. Some Linux mascots take time out from their busy schedule 
to test video calling for us. 
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Figure 4. A Full KDE Desktop 


This page also details the manual methods for enabling full 
desktop mode. 

Adding more software from a Xandros or Debian repository 
is the next logical step in customising the operating system that 
ships with the Eee. For us, the Eee requires only the addition 
of Emacs and Subversion to be a great portable hacking tool. 
You can use any Debian Sarge repository or a Xandros 4.0 
one, as shown below. There are a few caveats though. As the 
Xandros running on the Eee is heavily customised by ASUS, it’s 
very easy to end up with the Eee in an unbootable state if you 
allow apt to upgrade too much. Although it’s not a complete 
solution, apt pinning can be used to ensure that the ASUS 
repository always takes priority for a package. 

Add your repository to /etc/apt/source.list with your 
favourite text editor as root, either your local Debian Sarge 
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As not all of the software that ships 
with the Eee is accessible through the 
easy mode launcher, the first useful 
thing to tweak on the Eee is to add the 
IceWM panel menu and edit it to add 
those applications that aren't exposed 
through the easy mode interface. 


repository or the Xandros one below: 


deb http://xnv4.xandros.com/4.0/pkg xandros4.0-xn main 
contrib non-free 


Then, create the file /etc/apt/preferences, and add the lines: 


Package: * 
Pin: origin update.eepc.asus.com 
Pin-Priority: 999 


As apt sources default to a lower priority, this ensures that 
packages from the ASUS repository are prioritised. It’s still pos- 
sible though to break your Eee by installing packages willy- 
nilly. If it looks as though an action is going to upgrade a large 
number of packages, especially if it looks like what it’s upgrad- 
ing is all of KDE, cancel the change. 

This limitation can be extremely frustrating if you want to 
make more drastic changes to your Eee PC's installed packages. 
Another option is to install a generic Linux distribution on the Eee. 
eeeXubuntu (wiki.eeeuser.com/ubuntu:eeexubuntu:home) 
is a version of the Xubuntu 7.10 distribution with Eee-specific 
drivers integrated and tweaks for low-resolution displays. It’s 
an excellent choice if you want a more modern distribution 
on your Eee but would prefer not to compile the drivers from 
ASUS by hand. 

The wiki page has in-depth instructions on how to create a 
bootable USB stick for your Eee. Boot your Eee from the USB 
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Figure 5. eeeXubuntu is a customised Xubuntu for the Eee PC. 


86 | april 2008 www.linuxjournal.com 


stick by pressing Esc at boot time to get to the boot options 
menu, and from the GRUB bootloader, select the option to 
load eeeXubuntu with Eee-specific drivers and fixes. From 
there, it’s all very familiar. Click the Install icon on the desktop 
once the live CD loads, and navigate your way through the 
Ubuntu installer. 

If your Eee has 512MB or more of memory, you probably 
can get away with not creating a swap partition. In our testing, 
running Firefox, Pidgin and Thunderbird, the Eee was using 
approximately 300MB of memory, minus buffers/caching. 
If your Eee has 1,024MB or more of memory, you'll never 
notice the difference. 

Opting out of swap, however, does have the side effect 
that hibernate to disk is disabled. The Eee does have suspend 
to RAM support under eeeXubuntu, but this level of suspend 
does consume a fair amount of battery. Leave your Eee 
suspended for 24 hours, and expect to see your battery down 
to half when you resume it. 

The simplest and most rewarding Eee hardware mod is 
upgrading the built-in memory. Note: this mod requires 
removing a sticker that claims its removal will void your 
warranty. According to a public statement by ASUS at 
usa.asus.com/news_show.aspx?id=9223, this is not the 
case, and upgrading your memory will not void the warranty 
on your Eee. However, Linux Journal takes no responsibility for 
any damages to your Eee or loss of warranty incurred by 
following this advice. 

The Eee PC takes a single SODIMM of DDR2667, in either 
512, 1,024 or 2,048MB. That's right, the Eee PC can be 
upgraded to an impressive 2GB of memory. 

To upgrade the memory on your Eee, you need a set of 
small electronics screwdrivers and a clean surface that's safe 
for handling static-sensitive equipment. 

If you haven't installed memory before, Linux Journal 
recommends you enlist the help of a professional or a 
hardware-minded friend. 

Ensure that the Eee is shut down (not suspended), and 
unplug it from the power. Turn the Eee upside down and 
remove the battery. 

Using a very small Phillips screwdriver, remove the two 


Figure 6. Removing the Module 


screws in the memory panel. One is covered by a sticker that 
will tear easily if you simply remove the screw as though the 
sticker was not there. 

Use a small flatblade screwdriver very carefully or a finger- 
nail to lever up the memory compartment. Put the memory 
compartment cover and the screws to one side. 

To remove the memory that shipped with your Eee, carefully 
use a pair of small screwdrivers or your fingers to lever the 
clips outward. The memory module will pop upward when it is 
free of the clips. Remove the module from the slot, taking care 
to touch only the very outside edges of the module. 

Place the module aside in a static-safe place, and remove 
the new module from its packaging. Place it in the slot at a 
45-degree angle, as shown in Figure 7, taking care that the 
notch on the module matches the key on the slot. When the 
module's base is securely slotted in, it can be carefully lowered 
into position by pushing the top corners of the module back- 
ward with your fingers, so that it lies flat against the Eee’s 
motherboard. The metal clips should snap over the sides of the 
module with a satisfying click when it’s properly in place. Once 
the memory is secure, replace the memory compartment cover 
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Figure 7. Installing the New Module 


and ensure that all sides have clicked down. 

If you're anything like us, at this point, you'll hunt all over 
the desk searching for the screws only to find them 20 min- 
utes later stuck to the magnetic closure on the MacBook. 
Replace the two screws to secure the memory compartment 
cover, and insert the battery again. It’s always a good idea to 
run memtest86 over any new memory you install, which is an 
option from any recent Ubuntu live CD or the eeeXubuntu 
bootable USB stick if you made one earlier. 

It’s pretty easy to see how the Eee has taken the personal 
computer market by storm. It's cheap, friendly and oh-so-very 
hackable, with something for everyone. There are myriad 
other hacks not covered here, from installing Linux distribu- 
tions and adding the drivers yourself to soldering additional 
gadgets to the motherboard. In fact, that’s what we're off 
to do right after we submit this article—solder a mutilated 
Bluetooth dongle to the motherboard, as now we won't 
get in trouble if we break it. 

Have fun hacking your Eee, but remember—installing 
Windows is cruel to Eee PCs and not endorsed by Linux Journal!m 


Jes Hall is a Linux Technical Specialist and KDE developer from New Zealand. She's passionate 
about helping open-source software bring life-changing information and tools to those who 
would otherwise not have them. 
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Puppy Linux 


Exploring everyone's pet Linux. Louis J. IACONA 


It would be fair to say that the Linux landscape is somewhat 
cluttered with distributions, each offering a slight value delta 
to consider. So, | didn’t expect to be evaluating yet another 
distro any time soon. Recently, however, | went hunting for an 
embedded Linux solution for small devices, and along the way, 
| stumbled on something that offers much more general value 
than what | was looking for—a Linux distribution called Puppy 
Linux (hereafter referred to as PL). 

PL is getting a lot of attention and steadily gaining popu- 
larity, and it seemed worthy of further examination. At first 
glance, PL is a distribution praised for being small, fast and 
stunningly complete for its size—just as complete and secure 
as most desktop distributions. It also has the relatively unique 
distinction of being usable from live bootable removable 
media—CD/DVD or even a USB Flash device. 

PL was developed and organized by Barry Kauler in 2003 
as a fresh-start Linux Distribution Project—that is, it did not 
grow out of an existing distribution. Its goal and identifying 
characteristics have been consistent—offer a small, efficient 
distribution that doesn’t sacrifice on user features or ease of 
use. PL’s lightweight footprint makes it practical to use directly 
from a portable bootable image rather than needing to install 
it onto a fixed internal disk. In fact, PL can be booted and used 
effectively from any medium, ranging from a floppy disk to a 
network server. 


Prerequisites 

To try PL, you need access to a CD/DVD R/W drive and disk 
writer software capable of burning ISO images and a host 
PC/laptop with the following: 


@ Pentium Il-class processor. 
® Removable media (CD/DVD or USB device). 


@ BIOS that will allow the computer to boot from CD or 
USB—this device needs to appear before internal drives 
or other active boot options. 


@ RAM: 128MB-256MB (at minimum). 
@ Internet connection. 


The machine | primarily used for testing is now a dedicated 
PL host. On the surface, this machine was ready for the scrap 
heap—a vintage Pentium III, 600MHz processor with 384MB 
of RAM. The PL community has suggested that a 100MHz- 
class machine with a minimum of 64MB of RAM will support 
PL. That may be, but | would expect it to be very tight and 
recommend more memory and a faster processor. 
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What Breed Is This? 

So what does the PL distribution contain? Given the size of 
the bootable image—the latest 3.0.1 release is smaller than 
100MB—you might be surprised to see the completeness of 
PL. PL includes utilities and applications for anything a desktop 
user typically expects and needs to do—browse and communi- 
cate on the Web, view and manipulate digital photos and 
other media files, create documents, play games and so on. 
Specifically, the default core distribution includes the following: 


m@ Desktop control, filesystem browser and command-line 
console. 


@ Choice of two X servers and the JWM (Joe's Window 
Manager). 


m@ Language interpreters: Perl, TCL/TK and the bash- 
compatible shell. 


® An assortment of media players and burners. 


@ Office applications: word processor, spreadsheet and 
PDF writer. 


@ Internet client tools: base Mozilla browser (Seamonkey), 
chat, FTP, e-mail, secure shell/Telnet, a wiki and a Web- 
authoring tool. 

m@ Network services, including an FTP server and firewall. 

m@ System administration utilities to manage and monitor 
disks/filesystems, job scheduling, printers, processes and 
memory usage. 


@ Drawing/graphics applications. 


@ A handful of games and dozens of utilities for managing 
PL's activities, life cycle and appearance. 


Additionally available packages include: 
m Web server. 
@ Gaim chat client. 


m@ GIMP photo editor and other image manipulation and 
viewing tools. 


m@ Additional development tools, including additional TCL/TK 
tools/libraries, Python and full bash 3.1 interpreters. 
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@ Additional media applications. 
m C/C++ compilers and libraries. 
m@ And, too many more applications to list here. 


Not bad! And, you don’t need to start with the standard 
core set of applications. Through a process documented 
under “Puppy Linux Unleashed” (www.puppyos.com/ 
puppy-unleashed.htm), you can create a customized 
distribution from more than 500 packages designed to run 
under PL. The PL community puts the total number of avail- 
able applications at more than 1,000. 


Get Up and Barking 

Not just making a “puppy” quip here—if PL was able to con- 
figure your audio device during the boot process, you'll hear 
the sound of a gentle dog bark, “woof, woof”. If not, a sound 
wizard can be launched from Menu-—>Setup—>Wizard Wizard 
to attempt a manual sound card setup. 

The two most impressive things | discovered about PL was 
how quickly | able to have a functioning PL desktop and how 
well it performed. GUI applications launched instantaneously 
and seemingly without stepping on each other. For now, 
let's concentrate on getting PL running on the closest laptop 
or workstation. 

Obtain a PL ISO image by downloading it from the Web 
or purchasing CD media. As it’s smaller than 100MB, you can 
download it quickly over a broadband Internet connection. 
Or, you can purchase bootable media for a few dollars at 
www.linuxonline.biz/index.php?cPath=137_149. 


Downloading the ISO Image 

The complete set of live ISOs and other PL artifacts are avail- 
able at ibiblio.org/pub/linux/distributions/puppylinux. 
Higher-level information about PL offerings is available at 
puppylinux.net/download/downpage.htm. | strongly 
suggest using the latest release—3.0.1, at the time of this 
writing. It's a stable, much-improved release compared to 
2.x: ibiblio.org/pub/linux/distributions/puppylinux/ 
puppy-3.01-seamonkey.iso. 


Creating Bootable Media 

Now, write the ISO to a CD/DVD disk using an application that 
can deal with ISO images, such as K3b on Linux or Roxio on 
Windows. The primary files on the ISO needed to boot and 
host PL are the following: 


® vmlinuz—the kernel. 


® initrd.gz—a compressed RAM disk image used during the 
boot process. 


™ pup_300.sfs—contains other system files packaged outside 
the RAM disk image (the largest file by far). 


® zdrv_300.sfs—contains a complete set of drivers and firmware. 


The First Boot 

| attempted to boot the PL media from every PC | could 
access—five laptops and three workstations. | didn’t need 
to do anything special in any of these instances. Assuming 
the ISO image is burned correctly and your system is set up 
to boot from CD, you're ready to start your PL experience. 
If not, check the contents of the ISO through an explorer, 
and make sure the system’s BIOS boot sequence includes 
the CD/DVD drive before other bootable drives. A desired 
BIOS boot sequence will be something like this: 


m USB—if available. An older system with USB interfaces 
may still not offer USB as a boot option. In that case, if 
you're interested in configuring a USB resident PL boot 
image, you might be able to resolve this by updating 
the BIOS. 


m CD/DVD. 


m@ Floppy. 


@ Internal disk. 
@ Network boot. 


PL Boot Cycles 

During the first boot process, PL automatically determines a 
lot about the underlying hardware, but it prompts the user 
for additional guidance. Once the X server and window 
manager are functioning, you'll see an initial desktop that 
looks something like what's shown in Figure 1. 
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Figure 1. The Initial Puppy Boot Desktop—Complete with Coaching Text 


PL now is ready to be used. Some devices need to be 
configured manually (through GUI utilities), and users likely 
will want to apply customizations, create data files and 
perhaps install additional packages. At the first graceful 
reboot or power cycle, users are asked where such data 
should be persisted between sessions, so subsequent 
reboots are typically non-interactive. 
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INDEPTH 


First Boot Life Cycle—Details 
During the first PL boot, users are prompted as follows: 
Screen 1: select keyboard layout locale (US is generally 
the default). 
Screen 2: the Puppy Video Wizard prompts for two 
preferences: 


m@ Step 1: X Window System server choice, select X server. 
X.org is heavier-weight but more capable, and may not 
work well with older, more obscure video devices. This is 
usually the better choice. Xvesa is lighter-weight, has a 
fixed refresh rate and supports a narrower set of input 
devices. If X.org proves problematic, try Xversa. 


@ Step 2: select screen resolution. Driven by the perceived 
capabilities of the discovered graphics card/monitor, a set 
of resolution choices will be presented, usually between 
860 and 1,400+. 


What's on the desktop? By default, the desktop launch icons 
for the commonly accessed applications are organized as follows: 


@ Row 1: system setup and administration utilities. 


@ Row 2: office-related applications, such as a word processor. 


@ Row 3: network client applications, such as a browser and 
chat tool. 


@ Row 4 (and below): personal tools, such as a calendar, 
contact organizers and multimedia tools. 


Access to the complete set of applications is provided 
through the lower-left menu button. Here's an overview of its 
organization: 


™@ Desktop: basic desktop settings, window manager control, 
set time/date. 


m System: printer management, system monitoring, boot 
manager configuration. 


@ Setup: application installation, network tools, remaster live 
PL media. 


@ Utility: shell prompt, backup. 

lm FileSystem: file browsing/searching, disk mounter. 

®@ Graphic: paint, graphics editing, screen capture. 

@ Document: dictionary, word processor, Web authoring. 
@ Calculate: calculators, personal finance. 


@ Personal: Wiki, address book, password setting. 
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@ Network: firewall and other network services. 
®@ Internet: browser and all other network clients. 


@ Multimedia: CD creation, photo, video and sound view 
and editing. 


@ Fun: games. 
@ Help: help topics and system documentation. 


™@ Shutdown: session control and restarting fundamental desktop 
services like the X Window System and the window manager. 


The first thing you'll likely want to do after booting is 
launch the Puppy Disk Mounter. Refer to the upper-right 
section of Figure 1. It can be launched through the top-row 
drives icon. Notice that drive partitions hda1 and hda2 are 
mounted under the /mnt directory. The output of the df -h 
command shows the following: 


Filesystem Size Used Available Use% Mounted on 

tmpfs 219.94 6.9M 213.0M 3% /initrd/pup_rw 
tmpfs 77.94 77.0M 916.0k 99% /initrd/mnt/tmpfs 
/dev/1loop0 77.0M 77.0M 0 100% /initrd/pup_ro2 
unionfs 219.9M 6.9M 213.0M 3% / 

shmfs 87.0M 0 87.0M 0% /dev/shm 
/dev/hdal 5.0G 3.3G 1.7G 66% /mnt/hdal 
/dev/hda2 50.96 32.36 18.5G 64% /mnt/hda2 


Apart from the RAM Disk and shared memory entries, 
notice the two drive partitions under /mnt. The very next thing 
you'll want to launch is the Internet Connection Wizard 
through the Connect Globe desktop icon (lower-left section of 
Figure 1) or the Menu->Setup—Network Wizard. This lets you 
configure and set up a cabled or wireless network interface. 
For example, you'll probably configure the ethO interface to 
obtain an address automatically through a DHCP server. You 
need to do this only once—network settings can persist across 
sessions (Figure 2). 

If you select a wireless interface (such as athO), use the 
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Figure 2. Network configuration made easy. 


Figure 3. Managing Applications with PETget 


Scan button in the next dialog box to locate your network. 
Again, you'll probably want to select Auto DHCP. Once a 
network interface has been configured, you can test basic net- 
work access by launching the browser, chat client or other 
network application. Then, you can choose to install any 
additional packages to suit your needs. The launched PETget 
Package Manager is shown in Figure 3. 
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Figure 4. Puppy Linux at Work 


@ Screen 3: by default, your working session data is saved to 
a standalone ext2 filesystem file called pup_save.2fs. You'll 
be given an opportunity to override this name. 


PETget is very straightforward to work 
with. Typically, it’s used to download 
updates and additions from the network 
(using wget), and it finds and resolves 
dependencies fairly seamlessly. The PETget 
operations can be very interactive, and 
the dialogs present a lot of information. 
Be sure you understand what's being 
installed or updated, and that you'll 
need to restart the window manager 
(Menu->Shutdown-restart-JWM) before True 
new applications are added to the Menu 
button structure. Also, depending on 
what's been installed, because so much 
of the runtime is maintained on the 
RAM disk for efficiency, the system may 
need to be rebooted. So, take time to Kentsfield 
read the PETget dialogs. 

Just as noteworthy as the first boot $100 

1GB RAM 


Quad Core 


is the first terminated session. Here's 
some detail on a sample interaction 

the first time the system is rebooted 
or powered down: 


™ Screen 1: save changes to file: Yes/No. 
Specify yes if you want the changes 
you've applied to be carried to sub- 
sequent sessions. 


™@ Screen 2: if you've decided to save 
your changes, you'll be asked for a 
target—what mounted filesystem or 
removable media? 
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@ Screen 4: apply encryption—choices are none, weak or 
strong. If you're saving data you care about on removable 
media, it might make sense to select an encryption level, 
allowing you to assign a password, which you'll need to 
provide at subsequent boots. 


™@ Screen 5: specify an initial size for the standalone ext2 
filesystem file that will contain PL customization data; 
512MB is the default and recommended size, but larger 
is better. 


™@ Screen 6: if you're saving the session data on faster media 
than the boot CD/DVD (such as an internal IDE drive), you 
will be given the option of saving some PL runtime files to 
speed up the boot process going forward. 


® Screen 7: review/confirmation—opportunity to change 
details or cancel. 


Housebroken Puppy 

On subsequent PL boots, you'll notice a few differences. (You 
need to attach removable media if that's where your cus- 
tomizations have been saved.) You'll find that PL has main- 
tained its network configuration (assuming it was saved), the 
initial desktop (Welcome, woof, woof!) has been replaced with 
a plain-color backdrop, the applications you've installed are 
now accessible through the Menu structure, and an additional 
filesystem has been mounted under /initrd/mnt/dev_save. As 
before, all mounted devices appear under /mnt. See the 
updated output of df -h below: 


Filesystem Size Used Available Use% Mounted on 

/dev/hda2 50.96 32.96 17.9G 65% /initrd/mnt/dev_save 
/dev/loop1 495.8M 73.3M 422.5M 15% /initrd/pup_rw 

tmpfs 77.9M 77.0M 916.0k 99% /initrd/mnt/tmpfs 
/dev/Loop0 77.0M 77.0M 0 100% /initrd/pup_ro2 
unionfs 495.8M 73. 3M 422.5M 15% / 

tmpfs 55.0M 96.0k 54.9M 0% /tmp 

shmfs 46.1M 0 46.1M 0% /dev/shm 


For convenience, a symbolic link to /initrd/mnt/dev_save 
has been created at /mnt/home. This is the where all system 
changes and other PL-specific data have been persisted as 
per your first reboot. On my dedicated PL host, the contents 
of /mnt/home appear as follows—it's basically the entire 
contents of my hard drive: 


Downloads RJE junk  lost+found 
pup_300.sfs pup_save.2fs 


notes zdrv_300.sfs i) 
PL depends on the following files to persist user data 

across sessions and perform better: 

HH pup_save.2fs: the standalone ext2 filesystem containing all 


session data—that is, cumulative changes applied to the 
base system. 
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® zdrv_300.sfs and pup_300.sfs: the embedded 300 refers 
to the release. These two files were copied to the hard 
drive at the end of the first session. They also reside on the 
PL-bootable ISO image, but having them here allows the 
system to start and operate more efficiently. 


PL will never access or modify any file other than the 
PL-specific files on its own. 


Tricks—What's This Puppy Good For? 

Given its basic features and content, several potential niches 
immediately come to mind, even without exploring beyond 
the surface material covered here. 

PL can be used as a portable computing environment. 
There's something very intriguing about carrying a computing 
desktop around on a key chain in a shirt pocket. PL’s Universal 
Installer can remaster a current system snapshot on a USB 
drive (providing it’s large enough), and that carry-along 
drive can be used to boot your customized PL and user 
data onto any PC that's capable of booting from a USB 
device. An overview of the USB setup process is available at 
www.pendrivelinux.com/2006/03/25/puppy-linux-on-usb. 

If Windows or some other installed OS becomes inoperable, 
that could present an untimely dilemma—making your basic 
desktop services unavailable and blocking access to the data 
residing on the system drives. Booting PL from removable 
media and gaining access to those drives provide the core of a 
data recovery tool and a temporary (at the very least), usable 
desktop environment. Even if you're not dealing with an emer- 
gency now, it's a good idea to obtain and test a bootable PL 
image just to make sure you can boot it and see your system 
devices—your internal disks, the network and removable media 
devices. You'll be that much closer to data recovery and/or a 
functioning desktop platform should an emergency arise. 

PL would be an excellent framework for any academic 
coursework that revolves around software development, 
system internals or small device control and the like. 
Advanced PL customization topics are well documented at 
puppylinux.net/puppy-unleashed.htm. A base PL image 
can be assembled from scratch and can be as inclusive or 
limited as your requirements dictate. Meanwhile, for those 
assignments that call for digging deeper into PL, kernel 
configuration/build-related topics are available at 
puppylinux.net/development/compilekernel.htm. 

As | mentioned previously, my dedicated PL host was a 
proverbial paperweight. What modern OS could | practically 
operate on a Pentium Ill-class machine with “matching” 
resources? PL provides an excellent vehicle for getting these 
vintage platforms working again. Thinking more globally, this 
inexpensive platform (PL plus older generation hardware) can 
put a lot of computing power in the hands of people who 
might otherwise have none. Considering that this rich, but free, 
OS can operate reasonably well on seven- or eight-year-old 
hardware, PL presents some interesting opportunities. There are 
efforts abound to address the so-called digital divide, and PL 
can be a facilitator both locally and worldwide. Nonprofit 
organizations, less-affluent educational institutions and all 


Resources 


Puppy Linux: www.puppylinux.com 


PL Distribution Home Page: www.puppylinux.org 


PL FAQ: puppylinux.com/faq.htm 


PL User Manuals: puppylinux.com/manuals.htm 


PL Discussion Forums: www.murga-linux.com/puppy 


PL for Developers: puppylinux.com/development/developer.htm 


PL News: www.puppylinux.org/wikka/LatestNews 


PL Video Tutorials: rhinoweb.us 


PL Media Purchase: www.linuxonline.biz/index.php?cPath=137_149 


individuals sensitive to technology costs 
would be excellent PL candidates. 
haven't noticed anything that 
would necessarily make PL a bad choice 
for general-purpose desktop needs— 
providing you feel comfortable with a 
few manual configuration steps (which 
is often the case with most distributions 
anyway) and installing a few desired 
packages that might be excluded in the 
default distribution. 


| see some potential here, and | would 
wager that PL continues to gain more 
attention and popularity. PL’s agility and 
surprising completeness make it far from 
a one-trick puppy (okay, that'll be the 
last silly puppy quip). Given what PL 
offers, the ease of getting started and 
the almost stunning performance on vin- 
tage hardware, there is something here 
worth watching. A common experience 
in a desktop upgrade path is obtaining 
more powerful hardware, only to experi- 
ence the same or slightly better perfor- 
mance. Imagine going the other way— 
regressing several generations of hard- 
ware and realizing better performance. 
Who should test-drive PL? If you 
were interested enough to read through 
this material, you're a good candidate. 
It requires a small investment of your 
time and none of your money. And, its 
usefulness as a data/system-rescue 


utility is something every desktop user 
should keep in mind. 

This article represents information that 
| was able to glean after kicking the tires 
for 40 odd hours—taking PL in directions 
that interested me. For completeness, |’Il 
offer a bit of subjective criticism. PL is not 
a flawless desktop. | thought a few utili- 
ties could use a face-lift as they presented 
screens that looked a bit toyish—long on 
text and short on intuitive functionality. 
Because of that, there were a couple 
instances when | felt | either experienced 
a minor bug or committed a pilot error— 
couldn't really be sure. That's forgivable, 
because overwhelmingly, things worked 
as expected and as documented on the 
first attempt. I’m sure noticeable kinks 
will be addressed over time. For now, 
PL may very well stand alone within its 
sweet spot. 


Louis J. lacona has been designing and developing software 
since 1982, mainly on UNIX/Linux platforms. Most recently, 
his efforts have focused on Java/J2EE-implemented solu- 
tions for enterprise-scoped applications and leveraging 
virtualization techniques. Louis is currently on assignment 
at HP Software in Paramus, New Jersey, and can be 
reached at louis.iacona@verizon.net. 
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Solutions might be useful, but problems are 
what make stories interesting. That's why | like 
reading the Linux-Kernel Mailing List (LKML) 
and the Kernel Trap Web site. I’m no hacker, 
and most of the work that's discussed there is 
too arcane for me. But, there still are problems 
to follow, and most of them lead somewhere. 

Take the thread New Kernel Bugs, started by 
Natalie Protasevich on November 13, 2007. 
Andrew Morton followed by noting “no 
response from developers” after most of the 
bugs, concluding: 


So | count around seven reports that 
people are doing something with and 
27 that have been just ignored. 


Three of these reports have been iden- 
tified as regressions. All three of those 
remain unresponded to. 


After many posts about particulars, David 
Miller added, “I think you like just saying ‘No 
response from developers’ over and over again to 
make some point about how developers are 
ignoring lots of bugs. That's fine, but at least be 
accurate about it.” 

Andrew replied, “Do you believe that our 
response to bug reports is adequate?” 

David came back with: 


Do you feel that making us feel and 
look like shit helps? 


.. When someone like me is bug fixing 
full time, | take massive offense to the 
impression you're trying to give, especial- 
ly when it’s directed at the networking. 


So turn it down a notch Andrew. 
Andrew replied: 


That doesn’t answer my question. 


See, first we need to work out 
whether we have a problem. If we do 
this, then we can then think about 
what to do about it. 


| tried to convince the 2006 KS atten- 
dees that we have a problem and | 
resoundingly failed. People seemed to 
think that we're doing OK. 
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But it appears that data such as this 
contradicts that belief. 


This is not a minor matter. If the kernel 
is slowly deteriorating, then this won't 
become readily apparent until it has 
been happening for a number of years. 
By that stage, there will be so much 
work to do to get us back to an accept- 
able level that it will take a huge effort. 
And it will take a long time after that 
for the kernel to get its reputation back. 


> 


So it is important that we catch deterio- 
ration early if it is happening. 


Ingo Molnar followed with a long post 
that ended with: 


Paradoxically, the “end product” is still 
considerably good quality in absolute 
terms because other pieces of our 
infrastructure are so good and power- 
ful, but QA is still a “weak link” of 
our path to the user that reduces the 
quality of the end result. We could 
really be so much better without any 
compromises that hurt. 


Much discussion among many participants 
followed, about the “new development 
model” and about policies and practices 
around bug-fixing, patching and, in general, 
debugging the debugging process. The thread 
ran to more than 100 posts, near as | can 
bother to count, over two days. 

What stands out for me is how participato- 
ry it all is. Even its disorganization has orga- 
nized qualities to it. What organizes it, | think, 
is respect for actual contribution. If it doesn’t 
help, the principle says, it doesn’t matter. There 
is gravity there. It keeps conversation grounded 
in the realities of actual contribution. 

Linus has been saying this kind of thing for 
years. You can hear it again in the interview 
excerpted in the UpFront section of this Linux 
Journal issue. You also hear something new con- 
cerning the social side of kernel development. 
Here’s what Linus says: 


— 


So, the technical sides are often easier 
in the sense that | don’t get frustrat- 
ed. Okay, we've had a bug and we've 
hit our head against a technical bug 
for a couple months and, yes, that can 


Getting Real about 
the Ideal 


Nothing's perfect. That’s why we'll never 
stop debugging everything. Doc SEARLS 


be slightly frustrating, but at the same 
time, you always know it's something 
that you are going to solve and...| 
never worry about that. 


The social side is maybe a bit more dif- 
ficult in the sense that that can be 
really frustrating and sometimes you 
don’t solve the social problems and 
people get upset, and | think that's 
very interesting too. | mean...if every- 
body was easy and everybody was all 
pulling in the same direction, it would- 
n't be as fun and interesting. And it’s 
different and also it changes from time 
to time. Sometimes we concentrate on 
technical problems and then occasion- 
ally, happily fairly seldom, there comes 
this perfect storm of social issues that 
start up, and one flame war perhaps 
brings out some other issues that peo- 
ple have had and have been kind of 
simmering under the surface.... 


Outside this small world it has become 
fashionable to talk about “social networks” 
and point to Facebook and MySpace, with their 
millions of users and zillions of posts, as exam- 
ples of those. Perhaps they are. But there's a 
difference between those and the societies of 
constructive problem-solvers who create the 
infrastructure on which civilization relies. One 
welcomes, and even values, noise. The other 
one doesn’t. Which would you rather build on? 

The trick is knowing what goes into what 
you rely on. With open-source code, and open 
development methods—including discussion 
among developers themselves—you can do 
hat. You can know. Or at least try to know. 

At their best, humans are creatures that try 
‘0 know what's going on. But humans also 
aren't perfect. No species is. Life is experimen- 
al. Behavior, like the beings that commit it, is 
all prototype. So are developments amidst crys- 
als, weather, geology, stars and galaxies. All is 
alpha and beta, and we never get to omega. 
or should we. Getting better is far more 
interesting than being perfect. You can build 
oward the ideal. But you use what's real. 


Doc Searls is Senior Editor of Linux Journal. He is also a 
Visiting Scholar at the University of California at Santa Barbara 
and a Fellow with the Berkman Center for Internet and Society 
at Harvard University. 
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